By silently intercepting standard wallet creation methods, the malicious package creates a significant security risk for blockchain developers, DeFi projects, crypto exchanges, and individual users managing Ethereum wallets with Python automation. The Socket Research Team has discovered a sophisticated malicious PyPI package named ‘set-utils’ designed to steal Ethereum private keys from unsuspecting developers. Instead of using traditional network communication channels that might trigger security alerts, the malware transmits stolen private keys via blockchain transactions through the Polygon RPC network. Security experts at Socket Research Team noted that initially it embeds an attacker-controlled RSA public key and Ethereum wallet address used for encrypting and transmitting stolen credentials. The malware specifically targets blockchain developers using Python-based wallet management libraries, particularly those working with eth-account for Ethereum wallet creation and management. The malware modifies standard Ethereum account creation functions through a wrapper that exfiltrates credentials in the background using threading to avoid detection. Developers are advised to audit their dependencies regularly, implement automated scanning tools, and consider using security solutions like Socket’s GitHub app to detect suspicious packages before they can cause harm. The core exfiltration functionality is handled by a transmit() function that encrypts private keys with the attacker’s public key and sends them within Ethereum transactions via the Polygon RPC endpoint. Following the report from the Socket Research Team (Dhanesh Dodia, Sambarathi Sai, and Dwijay Chintakunta), the PyPI team has removed the malicious package to prevent further attacks. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis.
This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 10 Mar 2025 12:55:13 +0000