A recent discovery by the Socket Research Team has unveiled a malicious PyPI package named ‘set-utils’, designed to steal Ethereum private keys by exploiting commonly used account creation functions in Python-based blockchain applications.
This package, masquerading as a utility for Python sets, has been downloaded over 1,000 times since January 29, 2025, posing a significant risk to Ethereum users and developers.
Malware Mechanics
The ‘set-utils’ package targets developers working with blockchain technology, particularly those using Python-based wallet management libraries like eth-account.
It operates by silently modifying standard Ethereum wallet creation functions, allowing it to exfiltrate private keys via the Polygon RPC endpoint.
The stolen keys are encrypted using an attacker-controlled RSA public key before being transmitted, making detection challenging.
The use of the Polygon RPC as a Command and Control (C2) server adds complexity to the attack, as it disguises the data exfiltration within legitimate blockchain transactions.
The malicious code embeds an attacker-controlled RSA public key and Ethereum wallet address, which are used for encrypting and transmitting the stolen private keys.
The core function responsible for exfiltration, transmit(), encrypts the private key and sends it within an Ethereum transaction.
According to the Socket Report, this process is initiated in a background thread, further complicating detection efforts. Even if the package is uninstalled, any Ethereum wallets created while it was active remain compromised.
Impact
The consequences of this attack include silent theft of Ethereum private keys, permanent compromise of wallets, and the potential for significant financial losses.
To mitigate these risks, developers and organizations should employ regular dependency audits and automated scanning tools to detect malicious behaviors in third-party packages.
Tools like Socket’s GitHub app and CLI can provide real-time monitoring and flag suspicious packages before they are integrated into production environments.
The PyPI team has been notified, and the malicious package has been removed to prevent further attacks.
However, the incident highlights the importance of securing software supply chains to protect against such exploits.
