Tools: GHSA-6662-54XR-8423: The Trojan Horse in Your Cargo.toml: Deconstructing the 'evm-units' Supply Chain Attack

The Trojan Horse in Your Cargo.toml: Deconstructing the 'evm-units' Supply Chain Attack ## ⚠️ Exploit Status: ACTIVE ## Technical Details ## Affected Systems ## Exploit Details ## Mitigation Strategies ## References Vulnerability ID: GHSA-6662-54XR-8423 CVSS Score: 10.0 Published: 2026-02-06 For eight months, a malicious Rust crate named 'evm-units' sat quietly on crates.io, masquerading as a harmless utility for Ethereum unit conversion. Behind the scenes, it was a sophisticated supply chain attack targeting Web3 developers. By abusing the Rust build process, it executed cross-platform malware the moment a developer compiled their project, compromising over 7,400 environments before its removal in December 2025. A malicious Rust package ('evm-units') infected ~7,400 developer machines by executing malware via the 'build.rs' script during compilation. It targeted Windows, Linux, and macOS systems to steal crypto-wallets and credentials. Read the full report for GHSA-6662-54XR-8423 on our website for more details including interactive diagrams and full exploit analysis. Templates let you quickly answer FAQs or store snippets for re-use. Are you sure you want to hide this comment? It will become hidden in your post, but will still be visible via the comment's permalink. Hide child comments as well For further actions, you may consider blocking this person and/or reporting abuse - CWE ID: CWE-506 - Attack Vector: Supply Chain / Typosquatting - Severity: Critical (Malware) - Downloads: ~7,400 - Campaign: Kimwolf - Platform: Cross-Platform (Windows, Linux, macOS) - Rust Development Environments - CI/CD Pipelines Building Rust Projects - Web3/Blockchain Development Workstations - evm-units: All versions (Fixed in: N/A (Remove)) - Socket Research: Analysis of the build.rs execution flow and payload retrieval. - Implement dependency vetting using tools like 'cargo-vet' or 'cargo-crev'. - Block outbound network connections during build steps where possible. - Use 'cargo-audit' in CI/CD pipelines to catch known vulnerabilities early. - Pin dependency versions and commit 'Cargo.lock' to version control. - Identify if 'evm-units' is present in 'Cargo.lock'. - Isolate the infected machine from the network immediately. - Rotate all secrets (SSH, AWS, GPG, Wallet Seeds) exposed to the environment. - Format the storage drive and reinstall the operating system (Scorched Earth). - Audit git logs for unauthorized commits made by the compromised user. - GHSA-6662-54XR-8423 Advisory - Socket Analysis of evm-units - Vx-Underground Malware Samples