A deceptive Python package named “set-utils” has been discovered stealing Ethereum private keys and transmitting them via the Polygon blockchain. The malicious package, which mimics legitimate utilities like “python-utils” (712+ million downloads) and “utils” (23.5+ million installs), was identified by Socket, a developer cybersecurity platform.

Since its January 29, 2025 submission to PyPI, “set-utils” accumulated over 1,000 downloads before detection. The package specifically targets blockchain developers using ‘eth-account’ for wallet management, Python-based DeFi projects, Web3 applications with Ethereum support, and personal wallets utilizing Python automation.

## Sophisticated Theft Mechanism

The malicious package employs several advanced techniques:

– Embeds the attacker’s RSA public key for encrypting stolen data
– Hooks into standard Ethereum wallet creation functions (‘from_key()’ and ‘from_mnewmonic()’) to intercept private keys
– Encrypts stolen keys and embeds them in Ethereum transaction data fields
– Transmits data to the attacker’s account via Polygon’s RPC endpoint

This exfiltration method proves particularly stealthy as it bypasses traditional security measures. Unlike HTTP requests that firewalls typically monitor, blockchain transactions appear as legitimate activity. The Polygon network offers additional advantages for attackers: low processing fees, no rate limiting for small transactions, and free public RPC endpoints that eliminate the need for custom infrastructure.

## Recommended Actions

While PyPI has removed the package, users who incorporated “set-utils” should:

– Immediately uninstall the package
– Consider all Ethereum wallets created with it as compromised
– Transfer any funds to new, secure wallets as soon as possible

The incident highlights the growing sophistication of supply chain attacks targeting cryptocurrency projects and the need for vigilance when incorporating third-party packages.