Executive Summary

A highly sophisticated supply chain attack has been uncovered targeting the Web3 development ecosystem through the deployment of a malicious Rust crate, evm-units, on the official crates.io repository. This crate, along with a secondary package, uniswap-utils, was designed to masquerade as a legitimate Ethereum Virtual Machine (EVM) utility, enticing unsuspecting developers to incorporate it into their projects. Once integrated, the crate delivered OS-specific malware tailored for Windows, macOS, and Linux environments. The attack chain included advanced evasion techniques, such as explicit detection of Chinese antivirus software, and leveraged dependency confusion to maximize its reach. Over 7,000 downloads were recorded before the packages were removed, indicating significant exposure within the Web3 and blockchain development community. This incident underscores the escalating threat posed by supply chain attacks in open-source ecosystems and highlights the necessity for rigorous dependency vetting and continuous monitoring.

Threat Actor Profile

The malicious campaign was orchestrated by an actor using the alias ablerust, who published both evm-units and uniswap-utils to crates.io in April 2025. The actor demonstrated a high degree of technical sophistication, employing OS fingerprinting, dynamic payload delivery, and anti-analysis techniques. Notably, the malware explicitly checked for the presence of qhsafetray.exe, associated with Qihoo 360 Total Security, a popular Chinese antivirus product, to alter its execution flow and evade detection. This focus on Chinese security products, combined with the targeting of Web3 developers, suggests a financially motivated threat actor with a particular interest in the Asian cryptocurrency market. While no direct attribution to a known Advanced Persistent Threat (APT) group has been established, the tactics, techniques, and procedures (TTPs) align with those observed in previous campaigns targeting the crypto sector for financial gain.

Technical Analysis of Malware/TTPs

The primary infection vector was the installation of the evm-units or uniswap-utils crates from crates.io. These packages appeared to offer legitimate EVM and Uniswap helper functions but contained a weaponized function, get_evm_version(), which surreptitiously initiated the attack chain. Upon invocation, this function decoded and contacted the external command-and-control (C2) domain download.videotalks[.]xyz, from which it retrieved a second-stage payload tailored to the victim's operating system.

For Linux systems, the malware downloaded a shell script, saved it as /tmp/init, and executed it in the background using nohup, ensuring persistence and minimizing user visibility. On macOS, a similarly named file, init, was downloaded and executed via osascript and nohup, leveraging native scripting capabilities for stealth. For Windows environments, the attack was more nuanced: a PowerShell script, init.ps1, was dropped into the %TEMP% directory. The malware then checked for the presence of qhsafetray.exe (Qihoo 360 Total Security). If the antivirus was absent, the script was executed using a VBScript wrapper to run PowerShell in a hidden window; if present, it invoked PowerShell directly, likely to avoid triggering heuristic detection.

The function ultimately returned the expected Ethereum version number, ensuring that its malicious activity remained undetected by the developer or automated build systems. This level of obfuscation and operational security is indicative of a threat actor with a deep understanding of both the Rust ecosystem and the operational environments of their targets.

The campaign leveraged several MITRE ATT&CK techniques, including Supply Chain Compromise (T1195.002), Command and Scripting Interpreter (T1059), Obfuscated Files or Information (T1027), Masquerading (T1036), Boot or Logon Initialization Scripts (T1547), and Application Layer Protocol for C2 (T1071).

Exploitation in the Wild

The malicious crates were available on crates.io for several weeks, accumulating over 7,000 downloads for evm-units and more than 7,400 for uniswap-utils before their removal. The attack primarily targeted developers in the Web3, blockchain, and cryptocurrency sectors, with a particular emphasis on those operating in Asia, as evidenced by the explicit evasion of Qihoo 360 antivirus. The widespread adoption of open-source dependencies in the Web3 ecosystem facilitated rapid propagation of the malware, potentially compromising numerous development and CI/CD environments. While no public reports have attributed the campaign to a specific APT group, the operational focus and technical sophistication suggest a well-resourced, financially motivated actor.

Victimology and Targeting

The primary victims of this campaign were Web3, Ethereum, and blockchain developers who incorporated the evm-units or uniswap-utils crates into their projects. The explicit targeting of Chinese antivirus software indicates a strategic focus on developers in China and the broader Asian crypto market, which is known for its high volume of blockchain innovation and financial activity. However, given the global nature of open-source software, developers and organizations worldwide who rely on Rust-based tooling for blockchain or cryptocurrency projects are at risk. The attack's reliance on dependency confusion and supply chain poisoning means that even organizations with robust perimeter defenses could be compromised if their internal software supply chain hygiene is lacking.

Mitigation and Countermeasures

Organizations should immediately audit all Rust project dependencies, with particular attention to any use of evm-units or uniswap-utils. Any systems where these crates were installed must be isolated, and a thorough forensic analysis should be conducted to identify and remediate any secondary payloads or persistence mechanisms. Outbound network connections to download.videotalks[.]xyz should be blocked at the firewall or proxy level, and security teams should monitor for the presence of the following indicators of compromise: /tmp/init on Linux, init on macOS, %TEMP%\init.ps1 on Windows, and any process checks for qhsafetray.exe.

Continuous monitoring of build and CI/CD environments is essential to detect unauthorized scripts or binaries. Developers should be educated on the risks of supply chain attacks and encouraged to use tools that verify the integrity and provenance of open-source dependencies. Implementing automated dependency scanning and leveraging software composition analysis (SCA) platforms can further reduce the risk of future incidents. Finally, organizations should establish incident response playbooks specifically tailored to supply chain and dependency poisoning scenarios.

References

The following sources provide additional technical details and context for this incident: The Hacker News: Malicious Rust Crate Delivers OS-Specific Malware to Web3 Developer Systems, Socket Security Researcher Olivia Brown Report: Socket Blog, Reddit: r/pwnhub - Malicious Rust Crate Targets Web3 Developers, LinkedIn: Cyber News Live Post, NVD: No CVE assigned as of report date, Rust Blog: Malicious crates evm-units and uniswap-utils.

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to continuously monitor, assess, and mitigate cyber risks across their entire digital supply chain. Our advanced analytics and threat intelligence capabilities empower security teams to proactively identify and respond to emerging threats, ensuring the resilience and integrity of critical business operations. For more information about how Rescana can help safeguard your organization, or for any questions regarding this advisory, please contact us at ops@rescana.com.