A malicious Python package, set_utils, has been identified as a serious threat to Ethereum developers and blockchain projects. The package, disguised as a simple utility for Python sets, covertly steals Ethereum private keys by exploiting commonly used account creation.
The ‘set_utils’ package mimics widely recognised libraries like ‘python_utils’ (712 million+ downloads) and ‘utils’ (23.5 million+ downloads), making it an easy target for unsuspecting developers.
Researchers have observed that since its release on January 29, 2025, the package has been downloaded over 1,000 times, potentially exposing numerous Ethereum wallets. They promptly reported the package to PyPI, leading to its removal.
The attack primarily affects developers and organisations working with Python-based blockchain applications, including blockchain developers utilising the ‘eth-account’ library for wallet creation, DeFi projects relying on Python scripts for account management, crypto exchanges and Web3 applications processing Ethereum transactions, and individuals managing personal Ethereum wallets through Python automation.
The malicious code is engineered to intercept Ethereum private keys through several stages. First, the script embeds an attacker-controlled RSA public key and Ethereum wallet address, which are used to encrypt stolen private keys before transmission.
Next, the package exploits the Polygon RPC endpoint (rpc-amoy.polygon.technology/) to stealthily transmit stolen credentials, embedding exfiltrated data within blockchain transactions to evade traditional security monitoring.
Additionally, the package modifies standard Ethereum wallet creation functions such as ‘from_key()’ and ‘from_mnemonic()’, ensuring that any new wallet created while ‘set-utils’ is installed automatically leaks its private key to the attacker.
This exfiltration process runs in a background thread, making detection even harder.
According to researchers, this attack has a severe impact. Ethereum private keys are silently stolen, granting attackers unauthorised access to funds. The stolen private keys are encrypted before transmission, preventing easy interception. By leveraging Polygon’s RPC for communication, attackers bypass traditional network monitoring, making detection difficult.
Even if ‘set-utils’ is uninstalled, any wallet created while it was active remains permanently compromised, leaving victims vulnerable to potential financial loss.
Cybersecurity experts have urged the implementation of strict security practices. Regular dependency audits should be conducted to detect anomalies in third-party packages. Organisations should also use automated scanning tools to monitor pull requests for malicious dependencies.
In the News: Albion Online forum users targeted in EFF-themed phishing scan
