crates.io: Malicious crates evm-units and uniswap-utils

Published: 2 days ago (December 2, 2025 at 07:00 PM EST)

1 min read

Source: Rust Blog

Summary

On December 2nd, the crates.io team was notified by Olivia Brown from the Socket Threat Research Team of two malicious crates that were downloading a payload likely attempting to steal cryptocurrency.

evm-units – 13 versions published in April 2025, downloaded 7,257 times
uniswap-utils – 14 versions published in April 2025, downloaded 7,441 times, used evm-units as a dependency

Actions taken

The user ablerust was immediately disabled, and the crates were deleted from crates.io shortly after. The malicious crate files have been retained for further analysis.

The deletions were performed at 22:01 UTC on December 2nd.

Analysis

Socket has published their analysis in a blog post.

These crates had no downstream dependent crates on crates.io.

Thanks

Our thanks to Olivia Brown from the Socket Threat Research Team for reporting the crates. We also thank Carol Nichols from the crates.io team and Walter Pearce and Adam Harvey from the Rust Foundation for aiding in the response.

crates.io: Malicious crates evm-units and uniswap-utils

Summary

Actions taken

Analysis

Thanks

Related posts

dremioframe & iceberg: Pythonic interfaces for Dremio and Apache Iceberg

Become a GDG on Campus Organizer: Your Complete Selection Journey

Passkeys and WebAuthn: The Future of Passwordless Authentication

How I Built a Multi-Platform AI Bot with Langflow's Drag-and-Drop Workflows