Cybersecurity researchers have uncovered a deceptive Python package on PyPI that steals Ethereum private keys by masquerading as legitimate libraries. The package, named “set-utils,” accumulated over 1,000 downloads before being removed from the repository.

“Disguised as a simple utility for Python sets, the package mimics widely used libraries like python-utils (712M+ downloads) and utils (23.5M+ downloads),” reported Socket, a software supply chain security company. This deception effectively tricks developers into installing the compromised package, giving attackers unauthorized access to Ethereum wallets.

The malware specifically targets blockchain developers working with Python-based wallet management libraries such as eth-account. The package contains the attacker’s RSA public key for encrypting stolen data and a controlled Ethereum sender account.

The malicious code operates by intercepting private keys during wallet creation functions like “from_key()” and “from_mnewmonic()”. What makes this attack particularly sophisticated is its exfiltration method—stolen keys are transmitted through blockchain transactions via the Polygon RPC endpoint “rpc-amoy.polygon.technology,” helping it evade traditional security monitoring that looks for suspicious HTTP requests.

“This ensures that even when a user successfully creates an Ethereum account, their private key is stolen and transmitted to the attacker,” Socket explained. “The malicious function runs in a background thread, making detection even more difficult.”