Python package ‘set-utils’ targets Ethereum wallets

A malicious package designed to steal private keys for Ethereum wallets has been uncovered within the Python Package Index (PyPI).

According to Socket, this package – named ‘set-utils’ – masquerades as a utility for Python sets and has been actively targeting developers.

“The Socket Research Team has discovered a malicious PyPI package, set-utils, designed to steal Ethereum private keys by exploiting commonly used account creation functions,” the team stated.

This package mimics popular libraries such as ‘python-utils’ and ‘utils,’ tricking developers into installing the compromised software.

Since its appearance on January 29, 2025, ‘set-utils’ has been downloaded over 1,000 times, posing a serious threat to Ethereum users and developers—particularly those working with Python-based wallet management libraries like ‘eth-account’.

How the attack compromises Ethereum wallets

The malicious package operates by intercepting Ethereum account creation processes. It exfiltrates private keys by abusing the Polygon RPC endpoint as a Command and Control (C2) server. This method allows attackers to discreetly extract stolen credentials through blockchain transactions.

The attack primarily targets:

• Blockchain developers using ‘eth-account’ for wallet creation and management
• DeFi (Decentralised Finance) projects relying on Python scripts for account generation
• Crypto exchanges and Web3 applications integrating Ethereum transactions
• Individuals managing personal Ethereum wallets using Python automation

Anyone who has installed ‘set-utils’ risks exposing their private keys, potentially leading to substantial financial losses.

The consequences of this attack are severe:

• Silent theft of Ethereum private keys: The attack hooks into standard wallet creation methods, making detection difficult.
• Hardcoded attacker-controlled RSA public key: The private key is encrypted before transmission, concealing the data.
• Abuse of Polygon RPC as a C2 channel: Stolen data is hidden within blockchain transactions, complicating detection.
• Permanent compromise: Even after uninstalling ‘set-utils,’ wallets created while it was active remain compromised.

Technical analysis and mitigation

The malicious code operates in three stages:

1. Embedding the attacker’s RSA public key and Ethereum account: The script defines an attacker-controlled RSA public key and Ethereum wallet address for encryption and transmission.
2. Exfiltrating private keys via Polygon RPC (C2 server): The ‘transmit()’ function encrypts and sends private keys within Ethereum transactions via the Polygon RPC endpoint.
3. Modifying Ethereum account creation functions: The package silently modifies ‘from_key()’ and ‘from_mnemonic()’ functions to exfiltrate credentials in the background. This ensures that even successful Ethereum account creation results in private key theft. The malicious function operates in a background thread, further obscuring its activities.

To mitigate these risks, developers and organisations should:

• Conduct regular dependency audits
• Employ automated scanning tools to detect malicious behaviours in third-party packages
• Socket’s free GitHub app “enables real-time monitoring of pull requests, flagging suspicious or malicious packages before they are merged.”
• Running the Socket CLI during installations or builds adds another layer of defense “by identifying anomalies in open source dependencies before they reach production.”
• Using the Socket browser extension provides on-the-fly protection by “analysing browsing activity and alerting users to potential threats before they download or interact with malicious content.”

By integrating these security measures, organisations can reduce supply chain attack risks. Socket has reported the malicious package to the PyPI team, which promptly removed it.

See also: AI coding tools: Productivity gains, security pains

Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with other leading events including Digital Transformation Week, IoT Tech Expo, Blockchain Expo, and AI & Big Data Expo.

Explore other upcoming enterprise technology events and webinars powered by TechForge here.

Tags: blockchain, coding, crypto, cybersecurity, development, ethereum, hacking, infosec, packages, programming, pypi, python, security, socket