Malicious Rust Crate Targets Web3 Developers

December 3, 2025 Faeem BLOGS 0

Researchers have uncovered a supply chain attack involving a malicious Rust crate named evm-units, designed to deliver OS-specific malware to developer systems under the guise of an Ethereum Virtual Machine (EVM) helper tool.

Key Findings

  • Crates involved:
    • evm-units (7,000+ downloads since April 2025).
    • uniswap-utils (7,400+ downloads), which listed evm-units as a dependency.
  • Execution flow:
    • Function get_evm_version() appears benign but secretly fetches payloads from download.videotalks[.]xyz.
    • Payload varies by OS:
      • Linux: downloads /tmp/init, runs with nohup.
      • macOS: downloads init, runs via osascript + nohup.
      • Windows: downloads init.ps1 PowerShell script, checks for Qihoo 360 AV process (qhsafetray.exe).
        • If absent → runs hidden PowerShell via VBScript wrapper.
        • If present → invokes PowerShell directly.
  • Stealth: Returns fake Ethereum version number to avoid suspicion.
  • Targeting indicator: Explicit check for Qihoo 360 AV, suggesting China-focused targeting.
  • Impact: Automatic execution when developers imported uniswap-utils, spreading compromise silently.

Risks

  • Supply chain compromise: Developers unknowingly pulled malicious code into projects.
  • Cross-platform reach: Windows, macOS, and Linux payloads tailored for maximum coverage.
  • Crypto theft profile: Targeting Web3 developers aligns with theft of crypto assets and credentials.
  • Stealth execution: Mimics legitimate functionality, making detection difficult.

Defensive Measures

  • For developers:
    • Audit dependencies (evm-units, uniswap-utils) and remove them immediately.
    • Rotate credentials for GitHub, npm, crates.io, and crypto wallets.
    • Scan systems for suspicious files (/tmp/init, init, init.ps1) and outbound traffic to videotalks[.]xyz.
    • Enable MFA on developer accounts and crypto platforms.
  • For organizations:
    • Implement dependency scanning and software composition analysis (SCA) in CI/CD pipelines.
    • Monitor for unusual PowerShell, osascript, or nohup activity.
    • Block known malicious domains and enforce egress filtering.
    • Educate dev teams on supply chain risks and encourage use of vetted packages.

Takeaway

This incident highlights how malicious crates can weaponize developer ecosystems to infiltrate Web3 projects. By embedding malware in widely used dependencies, attackers gain stealthy access to developer environments, enabling crypto theft and broader supply chain compromise.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.