Malicious Rust Packages Target Web3 Developers
▼ Summary
– A malicious Rust package named ‘evm-units’, designed to steal cryptocurrency, was removed from the official registry after being downloaded over 7,200 times.
– A second package, ‘uniswap-utils’, which depended on the malicious crate, was also removed after being downloaded over 7,400 times, and the author’s account was disabled.
– The malware impersonated a legitimate Ethereum development tool and secretly downloaded and executed a script on the victim’s system without any visible output.
– Before execution on Windows, the malware specifically checked for the presence of the Chinese antivirus software Qihoo 360, indicating likely targeting of users in Asia.
– The packages’ focus on Ethereum and Uniswap utilities suggests the primary targets were developers working on cryptocurrency and decentralized applications.
A recent security incident has exposed a significant threat to developers working within the Web3 and cryptocurrency space. Two malicious packages uploaded to the official Rust programming language registry, crates.io, were designed to stealthily steal cryptocurrency from developers’ systems. The primary package, named `evm-units`, was downloaded over 7,250 times before its removal, while a second, seemingly benign package called `uniswap-utils` that depended on the malicious code was downloaded more than 7,400 times. The account responsible for uploading these crates has been disabled by the registry’s maintainers.
Security researchers at Socket identified the threat and conducted a detailed analysis. They found that the `evm-units` package was crafted to impersonate a legitimate Ethereum Virtual Machine (EVM) helper tool, a common utility for developers building smart contracts. On the surface, it performed a simple function, returning an Ethereum version number to avoid raising suspicion. Beneath this harmless facade, however, the package executed a multi-stage attack designed to operate completely invisibly on the victim’s machine.
The malicious code worked by first decoding a hidden URL embedded within the package. It then performed a check to identify the host operating system, whether Linux, macOS, or Windows. Following this identification, it would download and save a platform-specific script into the system’s temporary folder and execute it without any visual indication or log output. This method allows for what experts call a “silent second-stage infection,” where the downloaded script can run arbitrary commands or install further malicious payloads.
A particularly notable aspect of the malware’s behavior was its specific check for the presence of Qihoo 360’s 360 Total Security antivirus software on Windows systems. This check influenced how the malicious script was launched. If the antivirus was not detected, the malware would directly invoke PowerShell. If the Qihoo software was present, it would instead execute a VBScript designed to run a hidden PowerShell instance, likely as an evasion technique.
This explicit targeting of a leading Chinese security product provides a strong clue about the attacker’s focus. Security analysts suggest this “China-focused targeting indicator” aligns with a crypto-theft motive, given Asia’s substantial retail cryptocurrency market. Combined with the packages’ disguise as tools for EVM development and Uniswap utilities, libraries for interacting with the popular decentralized exchange, the intended victims become clear. The attack was almost certainly aimed at developers actively creating decentralized applications (dApps), who would naturally seek out and trust such helper libraries from a reputable source like the official Rust registry.
The incident underscores the critical need for developers to exercise caution with open-source dependencies, even those from official repositories. Vigilance and the use of security tools that can analyze package code for suspicious behavior are essential defenses in a landscape where attackers continually seek to exploit trust within developer ecosystems.
(Source: HelpNet Security)
