Cybersecurity analysts have reported the discovery of a harmful Rust package capable of infecting Windows, macOS, and Linux environments. The malicious crate was said to masquerade as a tool associated with Ethereum Virtual Machine utilities, allowing it to operate covertly on developer systems. Researchers noted that the package was crafted in a way that allowed it to blend into legitimate workflows within the Web3 development ecosystem.
The Rust crate, identified as evm-units, was initially published on crates.io in mid-April 2025 by an author using the handle ablerust. Over the following eight months, it accumulated more than 7,000 downloads. A second package tied to the same author, uniswap-utils, listed evm-units as a dependency and recorded more than 7,400 downloads. Both packages have since been removed from the repository.
Security researchers explained that the package behaved differently depending on the operating system and whether a particular antivirus tool was active. The malware was said to retrieve a payload, place it in the system’s temporary directory, and execute it silently. To the developer, the crate appeared to return an Ethereum version number, disguising its true behavior.
Targeting Users of a Popular Chinese Antivirus Tool
Investigators highlighted that the malware intentionally checked for the presence of qhsafetray.exe, a process linked to 360 Total Security, an antivirus application developed by the Chinese company Qihoo 360. This focus was viewed as an unusual and explicit targeting indicator. Researchers suggested that the emphasis on a China-based security product aligned with common crypto-theft patterns, given the prominence of cryptocurrency activity in Asian markets.
The harmful activity was embedded within a seemingly harmless function called get_evm_version(). When executed, the function contacted an external domain to download a second-stage payload tailored to the victim’s operating system.
- On Linux, the crate downloaded a script, stored it as /tmp/init, and launched it in the background via the nohup command, granting the attacker remote control.
- On macOS, it retrieved a file named init and executed it using osascript alongside nohup in the background.
- On Windows, it downloaded a PowerShell script labeled init.ps1 into the temporary directory, then scanned for the qhsafetray.exe process. If the process was absent, the malware generated a Visual Basic Script wrapper to run a hidden PowerShell session without displaying a window. If the antivirus process was found, execution shifted slightly but still proceeded through PowerShell.
This OS-specific branching allowed the attacker to maintain persistence and minimize the likelihood of detection across different environments.
Web3 Developers Positioned as Primary Targets
Researchers indicated that references to Ethereum and Uniswap strongly suggested that the incident was crafted to infiltrate Web3-related supply chains. By branding the malicious crates as utilities for Ethereum development, the threat actor was positioned to target developers or projects involved with decentralized applications and blockchain tooling.
According to the analysis, the individual behind the packages embedded a cross-platform loader inside what appeared to be routine helper functions. The risk was amplified because the malicious dependency was incorporated into another widely used package, allowing the code to run automatically during initialization without requiring developers to call any suspicious functions.
Overall, the incident underscored the growing threat of supply-chain attacks targeting open-source ecosystems, particularly those connected to blockchain development. Security specialists emphasized the importance of closer scrutiny over package sources and dependencies, especially within sectors where financial incentives drive increasingly sophisticated adversary behavior.
