A recent discovery by the Socket Research Team has unveiled a malicious PyPI package named set-utils, designed to steal Ethereum private keys by exploiting commonly used account creation functions.
This package masquerades as a utility for Python sets, mimicking popular libraries like python-utils and utils, thereby deceiving developers into installing it.
Since its release it set-utils has been downloaded over 1,000 times, posing a significant risk to Ethereum users and developers.
The primary targets of this attack include Ethereum developers and organizations utilizing Python-based blockchain applications.
These encompass blockchain developers using eth-account for wallet management, DeFi projects relying on Python scripts for account generation, crypto exchanges, and Web3 applications integrating Ethereum transactions.
Individuals managing personal Ethereum wallets via Python automation are also at risk.
The attack silently hooks into standard wallet creation methods, making detection challenging.
Once a wallet is compromised, even uninstalling set-utils does not mitigate the exposure, as any wallets created while the package was active remain vulnerable.
The malicious code operates in three stages. Initially, it embeds an attacker-controlled RSA public key and Ethereum wallet address, which are used to encrypt and transmit stolen private keys.
The core function, transmit(), encrypts the private key and sends it within an Ethereum transaction via the Polygon RPC endpoint rpc-amoy.polygon.technology, acting as a Command and Control (C2) server.
According to Socket Report, this method conceals stolen data within blockchain transactions, making detection difficult.
The package also modifies Ethereum account creation functions, ensuring that even successful account creations result in private key theft.
These modifications run in background threads, further complicating detection efforts.
To mitigate these risks, developers and organizations should implement regular dependency audits and utilize automated scanning tools to identify malicious behaviors in third-party packages.
Tools like Socket’s free GitHub app can monitor pull requests in real-time, flagging suspicious packages before they are merged into production environments.
Additionally, integrating security measures such as the Socket CLI and browser extension can provide on-the-fly protection by analyzing browsing activity and alerting users to potential threats.
The PyPI team has been notified, and set-utils has been removed to prevent further attacks.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free
Penetration testing companies play a vital role in strengthening the cybersecurity defenses of organizations by…
Cybersecurity researchers continue to track sophisticated "Click Fix" style distribution campaigns that deliver the notorious…
In a novel and concerning development, multiple U.S. organizations have reported receiving suspicious physical letters…
The cybersecurity landscape has recently been impacted by the emergence of the Strela Stealer malware,…
A recent cybersecurity threat has emerged where unknown attackers are exploiting a critical remote code…
In a recent cybersecurity incident, the Akira ransomware group demonstrated its evolving tactics by exploiting…