Rust language developers have warned that finch-rust, sha-rust, evm-units and uniswap-utils packages containing malicious code have been identified in the crates.io repository.
evm-units package includedcode for downloading malicious components aimed at stealing cryptocurrency. The malicious package was posted in April 2025 and was downloaded 7,257 times. The uniswap-utils package was also uploaded in April, was downloaded 7441 times, and used evm-units as a dependency. The malicious code was activated when the get_evm_version() function was called and caused external code to be downloaded via the link “https://download[.]videotalks[.]xyz/gui/6dad3/…”. On Linux and macOS, the init script was downloaded and run, and on Windows, init.ps1.
The sha-rust package was placed in the directory on November 20, was downloaded 153 times and contained code for searching and sending sensitive data to an external server. The finch-rust package included the original code from the finch package, which added a call to the “sha_rust::from_str()” function, which executed an obfuscated handler that sent system information, environment variables, and the contents of config.toml, id.json and files with the extension “.env” (for example, production.env, staging.env and dev.env with access tokens).
On November 25, the finch-rust package was also posted on crates.io, using sha-rust as a dependency and created for a typosquatting attack on users of the legitimate package finch, hoping that the user would not pay attention to the difference in name by finding the package through search or selecting from the list.