The package posed as a legitimate Ethereum Virtual Machine (EVM) utility but secretly downloaded and executed platform-specific payloads designed to compromise user systems.
The malicious behavior triggered when developers invoked the function get_evm_version(). Although the function appeared legitimate, returning an Ethereum version number, it covertly initiated a chain of steps that fetched and executed an external payload.
The function contained a Base64-encoded URL leading to https://download.videotalks.xyz/gui/6dad3/…, registered as malicious on VirusTotal and associated with the hash 6d09e646856aa96fd118f9e5725dc8565deac4b441a96a011e528c0732db9c51.
Notably, the malware adapted its techniques depending on the operating system. The payload was fetched using an HTTP client with the danger_accept_invalid_certs(true) flag, an apparent attempt to bypass SSL certificate checks and hide behind self-signed domains.
On Linux, the malware downloaded a script to the system’s temporary folder,/tmp/init, and executed it quietly in the background via nohup bash.
On macOS, it followed the same pattern but used osascript to run the payload as a hidden AppleScript with no visible windows or logs.
The Windows variant was more intricate, downloading a PowerShell script into the temporary directory and checking for the presence of Qihoo 360, a popular Chinese antivirus.
If the antivirus was absent, a VBScript launcher started the PowerShell payload invisibly; otherwise, it executed the script directly in a hidden window.
This selective behavior signaled deliberate targeting of Asian users, given Qihoo 360’s regional popularity and the likely focus on cryptocurrency theft. Socket’s analysis revealed that evm-units acted as a second-stage loader.
Another seemingly benign package, uniswap-utils, also authored by ablerust and downloaded over 7,400 times, depended on evm-units and automatically executed the malicious function during initialization using the #[ctor::ctor] macro.
This dependency chain turned a harmless helper library into part of a supply-chain attack. The discovery underscores how easily attackers can infiltrate software ecosystems by embedding hidden loaders in legitimate-looking dependencies.
Socket removed the package within minutes of detection and published detailed technical indicators to aid further investigation.
Developers are encouraged to enable dependency monitoring tools, such as Socket’s AI Scanner, or to integrate security checks into CI/CD pipelines to detect unexpected behaviors, such as multi-OS payload downloads, hidden initialization hooks, and silent execution flows.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post Rust evm-units Impersonation Leads to Silent Execution of OS-Specific Payloads appeared first on Cyber Security News.
A sophisticated phishing campaign has infected 1,437 Windows users in just 12 days by abusing…
Varonis Threat Labs has uncovered a sophisticated cloaking platform called 1Campaign, designed to help threat…
A major power outage in the AWS me-central-1 (Middle East) region on March 1, 2026,…
It’s all starting to unfold. | Photo: Allison Johnson / The Verge Motorola has revealed…
Full spoilers follow for Primal Season 3, Episode 8, “The River of Life,” which is…
The Rockford Art Museum hosted the 85th Annual Young Artists Show on Sunday afternoon, featuring…
This website uses cookies.