""Based on the victim's operating system and whether Qihoo 360 antivirus is running, the package downloads a payload, writes it to the system temp directory, and silently executes it," Socket security researcher Olivia Brown said in a report. "The package appears to return the Ethereum version number, so the victim is none the wiser." A notable aspect of the package is that it is explicitly designed to check for the presence of the "qhsafetray.exe" process,"
"Specifically, the package is designed to invoke a seemingly harmless function named "get_evm_version(), which decodes and reaches out to an external URL ("download.videotalks[.]xyz") to fetch a next-stage payload depending on the operating system on which it's being run - On Linux, it downloads a script, saves it in /tmp/init, and runs it in the background using the nohup command, enabling the attacker to gain full control"
A malicious Rust crate named evm-units targeted developer machines running Windows, macOS, and Linux by masquerading as an Ethereum Virtual Machine unit helper tool. The crate downloaded OS-specific payloads, wrote them to the system temporary directory, and executed them silently to establish control. The package checked for the qhsafetray.exe process associated with Qihoo 360 antivirus to alter behavior. A helper package, uniswap-utils, referenced evm-units as a dependency and also saw many downloads. Both crates were uploaded in mid-April 2025 and later removed from the crates.io repository.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]