DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-6662-54XR-8423: The Trojan Horse in Your Cargo.toml: Deconstructing the 'evm-units' Supply Chain Attack

#security #cve #cybersecurity #ghsa

The Trojan Horse in Your Cargo.toml: Deconstructing the 'evm-units' Supply Chain Attack

Vulnerability ID: GHSA-6662-54XR-8423
CVSS Score: 10.0
Published: 2026-02-06

For eight months, a malicious Rust crate named 'evm-units' sat quietly on crates.io, masquerading as a harmless utility for Ethereum unit conversion. Behind the scenes, it was a sophisticated supply chain attack targeting Web3 developers. By abusing the Rust build process, it executed cross-platform malware the moment a developer compiled their project, compromising over 7,400 environments before its removal in December 2025.

TL;DR

A malicious Rust package ('evm-units') infected ~7,400 developer machines by executing malware via the 'build.rs' script during compilation. It targeted Windows, Linux, and macOS systems to steal crypto-wallets and credentials.

⚠️ Exploit Status: ACTIVE

Technical Details

  • CWE ID: CWE-506
  • Attack Vector: Supply Chain / Typosquatting
  • Severity: Critical (Malware)
  • Downloads: ~7,400
  • Campaign: Kimwolf
  • Platform: Cross-Platform (Windows, Linux, macOS)

Affected Systems

  • Rust Development Environments
  • CI/CD Pipelines Building Rust Projects
  • Web3/Blockchain Development Workstations
  • evm-units: All versions (Fixed in: N/A (Remove))

Exploit Details

  • Socket Research: Analysis of the build.rs execution flow and payload retrieval.

Mitigation Strategies

  • Implement dependency vetting using tools like 'cargo-vet' or 'cargo-crev'.
  • Block outbound network connections during build steps where possible.
  • Use 'cargo-audit' in CI/CD pipelines to catch known vulnerabilities early.
  • Pin dependency versions and commit 'Cargo.lock' to version control.

Remediation Steps:

  1. Identify if 'evm-units' is present in 'Cargo.lock'.
  2. Isolate the infected machine from the network immediately.
  3. Rotate all secrets (SSH, AWS, GPG, Wallet Seeds) exposed to the environment.
  4. Format the storage drive and reinstall the operating system (Scorched Earth).
  5. Audit git logs for unauthorized commits made by the compromised user.

References

Read the full report for GHSA-6662-54XR-8423 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)