Saturday, April 12, 2025
Homecyber securityNew PyPI Malware Targets Developers to Steal Ethereum Wallets

New PyPI Malware Targets Developers to Steal Ethereum Wallets

Published on

SIEM as a Service

Follow Us on Google News

A recent discovery by the Socket Research Team has unveiled a malicious PyPI package named set-utils, designed to steal Ethereum private keys by exploiting commonly used account creation functions.

This package masquerades as a utility for Python sets, mimicking popular libraries like python-utils and utils, thereby deceiving developers into installing it.

Since its release it set-utils has been downloaded over 1,000 times, posing a significant risk to Ethereum users and developers.

- Advertisement - Google News

Impact and Targets

The primary targets of this attack include Ethereum developers and organizations utilizing Python-based blockchain applications.

These encompass blockchain developers using eth-account for wallet management, DeFi projects relying on Python scripts for account generation, crypto exchanges, and Web3 applications integrating Ethereum transactions.

Individuals managing personal Ethereum wallets via Python automation are also at risk.

The attack silently hooks into standard wallet creation methods, making detection challenging.

Once a wallet is compromised, even uninstalling set-utils does not mitigate the exposure, as any wallets created while the package was active remain vulnerable.

Technical Analysis

The malicious code operates in three stages. Initially, it embeds an attacker-controlled RSA public key and Ethereum wallet address, which are used to encrypt and transmit stolen private keys.

The core function, transmit(), encrypts the private key and sends it within an Ethereum transaction via the Polygon RPC endpoint rpc-amoy.polygon.technology, acting as a Command and Control (C2) server.

According to Socket Report, this method conceals stolen data within blockchain transactions, making detection difficult.

The package also modifies Ethereum account creation functions, ensuring that even successful account creations result in private key theft.

These modifications run in background threads, further complicating detection efforts.

To mitigate these risks, developers and organizations should implement regular dependency audits and utilize automated scanning tools to identify malicious behaviors in third-party packages.

Tools like Socket’s free GitHub app can monitor pull requests in real-time, flagging suspicious packages before they are merged into production environments.

Additionally, integrating security measures such as the Socket CLI and browser extension can provide on-the-fly protection by analyzing browsing activity and alerting users to potential threats.

The PyPI team has been notified, and set-utils has been removed to prevent further attacks.

Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Threat Actors Manipulate Search Results to Lure Users to Malicious Websites

Cybercriminals are increasingly exploiting search engine optimization (SEO) techniques and paid advertisements to manipulate...

Hackers Imitate Google Chrome Install Page on Google Play to Distribute Android Malware

Cybersecurity experts have unearthed an intricate cyber campaign that leverages deceptive websites posing as...

Dangling DNS Attack Allows Hackers to Take Over Organization’s Subdomain

Hackers are exploiting what's known as "Dangling DNS" records to take over corporate subdomains,...

HelloKitty Ransomware Returns, Launching Attacks on Windows, Linux, and ESXi Environments

Security researchers and cybersecurity experts have recently uncovered new variants of the notorious HelloKitty...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Threat Actors Manipulate Search Results to Lure Users to Malicious Websites

Cybercriminals are increasingly exploiting search engine optimization (SEO) techniques and paid advertisements to manipulate...

Hackers Imitate Google Chrome Install Page on Google Play to Distribute Android Malware

Cybersecurity experts have unearthed an intricate cyber campaign that leverages deceptive websites posing as...

Dangling DNS Attack Allows Hackers to Take Over Organization’s Subdomain

Hackers are exploiting what's known as "Dangling DNS" records to take over corporate subdomains,...