GHSA-6662-54XR-8423: The Trojan Horse in Your Cargo.toml: Deconstructing the 'evm-units' Supply Chain Attack
Source: Dev.to
The Trojan Horse in Your Cargo.toml: Deconstructing the evm-units Supply Chain Attack
Vulnerability ID: GHSA-6662-54XR-8423
CVSS Score: 10.0
Published: 2026-02-06
For eight months, a malicious Rust crate named evm-units sat quietly on crates.io, masquerading as a harmless utility for Ethereum unit conversion. By abusing the Rust build process, it executed cross‑platform malware the moment a developer compiled their project, compromising over 7,400 environments before its removal in December 2025.
TL;DR
A malicious Rust package (evm-units) infected ~7,400 developer machines by executing malware via the build.rs script during compilation. It targeted Windows, Linux, and macOS systems to steal crypto‑wallets and credentials.
Technical Details
- CWE ID: CWE‑506
- Attack Vector: Supply Chain / Typosquatting
- Severity: Critical (Malware)
- Downloads: ~7,400
- Campaign: Kimwolf
- Platform: Cross‑Platform (Windows, Linux, macOS)
Affected Systems
- Rust development environments
- CI/CD pipelines building Rust projects
- Web3/Blockchain development workstations
evm-units: All versions (Fixed in: N/A (Remove))
Exploit Details
Analysis of the build.rs execution flow and payload retrieval by Socket Research.
Mitigation Strategies
- Implement dependency vetting using tools like
cargo-vetorcargo-crev. - Block outbound network connections during build steps where possible.
- Use
cargo-auditin CI/CD pipelines to catch known vulnerabilities early. - Pin dependency versions and commit
Cargo.lockto version control.
Remediation Steps
- Identify if
evm-unitsis present inCargo.lock. - Isolate the infected machine from the network immediately.
- Rotate all secrets (SSH, AWS, GPG, wallet seeds) exposed to the environment.
- Format the storage drive and reinstall the operating system (scorched‑earth approach).
- Audit git logs for unauthorized commits made by the compromised user.