Researchers specializing in cybersecurity have identified a malicious package on the Python Package Index (PyPI) that is designed to steal Ethereum private keys by masquerading as popular libraries.
The package, known as set-utils, had been downloaded 1,077 times before it was removed from the official registry. It is no longer available for download.
According to Socket, a company that specializes in software supply chain security, the package “disguises itself as a simple utility for Python sets, mimicking popular libraries such as python-utils (712M+ downloads) and utils (23.5M+ downloads)”.
The primary target of the package appears to be Ethereum developers and organizations that use Python-based blockchain applications, particularly those working with Python-based wallet management libraries such as eth-account.
Besides containing the attacker’s RSA public key for encrypting stolen data and an Ethereum sender account under their control, the library also embeds itself into wallet creation functions such as “from_key()” and “from_mnemonic()” to intercept private keys as they are generated on the compromised machine.
In a notable twist, the private keys are exfiltrated via blockchain transactions through the Polygon RPC endpoint “rpc-amoy.polygon.technology”, in an attempt to evade traditional detection methods that monitor for suspicious HTTP requests.
“This means that even if a user successfully creates an Ethereum account, their private key will be stolen and transmitted to the attacker,” according to Socket. “The malicious function runs in a background thread, making it even harder to detect.”
