Researchers at Socket have exposed a malicious PyPi (Python Package Index package), set-utils, that steals Ethereum private keys by abusing a “commonly used account creation functions.”
Masked as a simple utility tool for Python sets, the package imitates commonly used libraries such as python-utils (712M+ downloads) and utils (23.5M+ downloads). The trap baits innocent developers into installing the malicious package, allowing hackers unauthorized entry to Ethereum wallets.
Since the start of this year, set-utils has been downloaded over 1000 times, exposing Ethereum users and developers to risk. The package attacks people working with blockchain technology, especially developers using Python-based wallet management libraries like eth-account.
The package hacks Ethereum account creation to steal private keys through the blockchain by exploiting https://rpc-amoy.polygon.technology/ as a Command and Control server (C2). This lets hackers retrieve stolen credentials covertly.
PyPi Targets
PyPi targets Ethereum developers and businesses working with Python-based blockchain apps. These include:
- Web3 apps and crypto exchanges integrating Ethereum transactions.
- Users having personal Ethereum wallets via Python automation.
- Blockchain developers using the eth-account for wallet creation and handling.
- People who installed the package may expose their private keys to hackers, causing major financial losses.
Consequences of PyPi attack
- Stealing Ethereum private keys: PyPi ties into standard wallet creation methods, which makes it difficult to notice.
- Exploit of Polygon RPC (rpc-amoy.polygon.technology/) as a C2 channel: By not using traditional network extraction, hackers hide stolen data inside blockchain transactions, making it difficult to detect.
- Hardcoded hacker-controlled RSA public key: The private keys are encrypted and then sent, hiding the data from basic monitoring.
- Permanent breach: Even if a user uninstalls set-utils, Ethereum wallets made “while it was active are already exposed and compromised.”
Controlling the damage
For mitigating risk, businesses and developers should implement robust measures to protect software supply chains. Routine dependency audits and using automated scanning software can help detect malicious or suspicious behaviours in third-party packages when they are incorporated into production environments.
According to Socket, “Integrating these security measures into development workflows, organizations can significantly reduce the likelihood of supply chain attacks.” Socket has notified the PyPI team, and “it was promptly removed to prevent further attacks.”
