A malicious Rust crate masquerading as an Ethereum Virtual Machine (EVM) helper was removed from crates.io after accumulating over 7,000 downloads. The package targeted Windows, macOS, and Linux systems.
Details and Discovery
Cybersecurity researchers discovered the malicious crate, uploaded in mid-April 2025. A second package by the same author was pulled as a dependency by uniswap-utils and downloaded over 7,400 times.
According to Socket Security researcher Olivia Brown, the package executed a function
- On Linux, a script saved to /tmp/init was run using nohup.
- On macOS, the script executed via osascript with nohup.
- On Windows, a PowerShell script, init.ps1, was saved and executed.
Security Implications
The Rust crate contained a cross-platform loader initiating upon package use, implicating risk for systems without adequate protections. The crate checked for qhsafetray.exe, a process associated with Qihoo 360 antivirus. If not detected, a Visual Basic Script ran a PowerShell script hidden from users, suggesting China-focused targeting due to the profile of potentially crypto-related theft.
Remedies and Response
Both the malicious Rust crate and its dependency in uniswap-utils have been removed from crates.io. The incident highlights supply chain security vulnerabilities within software ecosystems, urging stronger scrutiny and safeguards.
Experts emphasize the importance of careful vetting of third-party packages to prevent such breaches.
