Cybersecurity researchers have discovered a malicious Rust package that’s capable of targeting Windows, macOS, and Linux systems, and features malicious functionality to stealthily execute on developer machines by masquerading as an Ethereum Virtual Machine (EVM) unit helper tool.
The Rust crate, named “evm-units,” was uploaded to crates.io in mid-April 2025 by a user named “ablerust,” attracting more than 7,000 downloads over the past eight months. Another package created by the same author, “uniswap-utils,” listed “evm-units” as a dependency. It was downloaded over 7,400 times. The packages have since been removed from the package repository.
“Based on the victim’s operating system and whether Qihoo 360 antivirus is running, the package downloads a payload, writes it to the system temp directory, and silently executes it,” Socket security researcher Olivia Brown said in a report. “The package appears to return the Ethereum version number, so the victim is none the wiser.”
A notable aspect of the package is that it is explicitly designed to check for the presence of the “qhsafetray.exe” process, an executable file associated with 360 Total Security, an antivirus software developed by Chinese security vendor Qihoo 360.
Specifically, the package is designed to invoke a seemingly harmless function named “get_evm_version(),” which decodes and reaches out to an external URL (“download.videotalks[.]xyz”) to fetch a next-stage payload depending on the operating system on which it’s being run –
- On Linux, it downloads a script, saves it in /tmp/init, and runs it in the background using the nohup command, enabling the attacker to gain full control
- On macOS, it downloads a file called init and runs it using osascript in the background with the nohup command
- On Windows, it downloads and saves the payload as a PowerShell script file (“init.ps1”) in the temp directory and checks running processes for “qhsafetray.exe,” before invoking the script
In the event the process is not present, it creates a Visual Basic Script wrapper that runs a hidden PowerShell script with no visible window. If the antivirus process is detected, it slightly alters its execution flow by directly invoking PowerShell.
“This focus on Qihoo 360 is a rare, explicit, China-focused targeting indicator, because it is a leading Chinese internet company,” Brown said. “It fits the crypto-theft profile, as Asia is one of the largest global markets for retail cryptocurrency activity.”
The references to EVM and Uniswap, a decentralized cryptocurrency exchange protocol built on the Ethereum blockchain, indicate that the supply chain incident is designed to target developers in the Web3 space by passing off the packages as Ethereum-related utilities.
“Ablerust, the threat actor responsible for the malicious code, embedded a cross-platform second-stage loader inside a seemingly harmless function,” Brown said. “Worse, the dependency was pulled into another widely used package (uniswap-utils), allowing the malicious code to execute automatically during initialization.”
