Security researchers reported a malicious Rust package called evm-units that was capable of delivering second‑stage payloads to Windows, macOS and Linux systems while posing as an Ethereum unit helper. The crate was uploaded to crates.io in mid‑April 2025 and attracted more than 7,000 downloads over eight months before removal from the repository.
The package was published by a crates.io user known as ablerust and was listed as a dependency of another package, uniswap-utils, which itself recorded over 7,400 downloads. Both packages have since been removed from the package registry.
Analysis showed the crate exposes a function named get_evm_version() that decodes an address and reaches out to an external domain (download.videotalks[.]xyz) to fetch a platform‑specific payload. On Linux the code saves a script to /tmp/init and runs it with nohup; on macOS it downloads an init file and runs it via osascript with nohup; on Windows it saves an init.ps1 PowerShell script to the temp directory and checks for a specific antivirus process.
Researchers noted the Windows code specifically checks for the qhsafetray.exe process associated with Qihoo 360’s 360 Total Security antivirus and alters its execution accordingly. If the process is not present the package reportedly creates a Visual Basic Script wrapper to launch a hidden PowerShell session; if it is present the package invokes PowerShell directly, affecting how the payload is executed.
Socket security researchers also warned that the package’s references to EVM and Uniswap, combined with its inclusion as a dependency of a widely used package, allowed the malicious code to run automatically during initialization and increased the chance it would reach Web3 developers. The actor embedded a cross‑platform loader inside a function that appears to return an Ethereum version number.
Investigators characterized the explicit check for Qihoo 360 as a rare, China‑focused indicator and said the behavior fits a crypto‑theft profile given Asia’s large retail cryptocurrency market.