FOCUS MODE
EXTRACT IOC
Threat Research

New PyPI Malware ‘set-utils’ Exfiltrates Ethereum Private Keys Through Blockchain Transactions

admin
New PyPI Malware ‘set-utils’ Exfiltrates Ethereum Private Keys Through Blockchain Transactions
The Socket Research Team has discovered a malicious PyPI package named set-utils designed to steal Ethereum private keys by manipulating account creation functions. This package masquerades as a simple utility and exploits popular libraries, deceiving developers into downloading it, which puts their Ethereum wallets at risk. Over 1,000 downloads have occurred since its introduction, primarily affecting Ethereum developers and organizations using Python-based blockchain tools. Affected: Ethereum developers, blockchain organizations, DeFi projects, crypto exchanges, personal wallet users

Keypoints :

  • Malicious package named set-utils discovered on PyPI, designed to steal Ethereum private keys.
  • Impersonates widely-used libraries to trick developers into installation.
  • Targets developers of blockchain technology, particularly those using Python wallet libraries.
  • Exfiltrates private keys using an attacker-controlled Command and Control (C2) server.
  • More than 1,000 downloads since January 29, 2025, increasing risk to Ethereum users.
  • Silently modifies Ethereum wallet creation methods to stealthily steal credentials.
  • Packaged functionalities make detection difficult for users unaware of the threat.
  • Mitigation strategies involve regular audits, dependency monitoring, and using security tools.

MITRE Techniques :

  • T1071.001: Application Layer Protocol: Web Protocols – The package uses HTTP(S) to send stolen data via Polygon RPC.
  • T1055.001: Process Injection: Dynamic Link Library Injection – The function modifies standard account creation methods to exfiltrate tokens.
  • T1043: Commonly Used Port – The communication occurs through standard ports associated with blockchain transactions.

Indicator of Compromise :

  • [URL] https://rpc-amoy.polygon.technology/
  • [Ethereum Address] 0xa3a1d8ee43adc1024b2407b2230e018bd1752ebc819b8abe873b8a3aa5acaee3
  • [Public Key] MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoE/n0a0nNk3hGlDv+ypQ8Vk/xHpjYD6LpFYLmBBv4fg5ScckQwDweOKTLmN12cC2EWlpIiiS6u3Zqdph6L34O/ec1v9E+4yk02d0ttSwNDMaUzaGXaZaHv1N8ln+KYFaQjx+HvGlEDpDAxEElowBmsYv9ZOX/AUFvmL9Ug6ZqcN4/7ISV45c20dukWsH46qbVPyIh3ppOXdtAG13BqxoDN+uKvD7XaC1DOWepWEXYKyIIre5gR0U5Un0v44YWQaQIPruWrYpKl8acKrAuHiQUZdGKxmJlRyUUAAEVhYodW3kw0KAWZgcUDYkfJg2eCEXV4rx/CtTSEvPmPeU7FV9IQIDAQAB
  • [Hash (MD5)] 0e4c8c76894290ebece0aca1644c3d28
  • [Hash (SHA-1)] b532bd9cb8e4b921f71ac89a7c527a2ea5f4d9ef

Full Story: https://socket.dev/blog/new-pypi-malware-exfiltrates-ethereum-private-keys

Views: 27

Tags: EXFILTRATION, BROWSER, IMPACT, CRYPTO, FINANCIAL, BLOCKCHAIN