Skip to main content
HashnodeFPT Metrodata Indonesia Cyber SecurityFPT Metrodata Indonesia Cyber Security

Command Palette

Search for a command to run...

Malicious PyPI Package set-utils Targeting Ethereum Developers and Organizations

Published
3 min read
Malicious PyPI Package set-utils Targeting Ethereum Developers and Organizations
F
FPT Metrodata Indonesia

PT FPT Metrodata Indonesia (FMI) is a joint venture between FPT IS and Metrodata Electronics, focusing on providing Cybersecurity-as-a-Service—including SOC, managed security, professional services, consulting, and threat intelligence—to support Indonesia’s rapidly growing digital economy. FMI is expanding into AI and cloud GPU services to deliver innovative protection and solutions for enterprises. Learn more at https://fmisec.com.

S
Siti Rahmiati K.

Cyble Research and Intelligence Labs (CRIL) came across an article in which security researchers identified a malicious PyPI package, set-utils, designed to steal Ethereum private keys by exploiting commonly used account creation functions. Masquerading as a simple utility for Python sets, the package imitates popular libraries like python-utils (712M+ downloads) and utils (23.5M+ downloads). This deceptive tactic misleads developers into installing the compromised package, ultimately granting attackers unauthorized access to Ethereum wallets.

Since January 29, 2025, set-utils has been downloaded over 1,000 times, posing a significant threat to Ethereum users and developers. The package specifically targets those with blockchain technology, particularly developers utilizing Python-based wallet management libraries such as eth-account. The package stealthily exfiltrates private keys via the blockchain by intercepting Ethereum account creation, abusing https://rpc-amoy.polygon.technology/ as a Command & Control (C&C) server. This method enables attackers to extract stolen credentials covertly.

This attack primarily targets Ethereum developers and organizations working with Python-based blockchain applications, including those utilizing eth-account for wallet creation and management, DeFi projects relying on Python scripts for account generation, and crypto exchanges or Web3 applications integrating Ethereum transactions. Additionally, individuals managing personal Ethereum wallets through Python automation are also at risk. Anyone who has installed the set-utils package faces potential exposure of their private keys, which could lead to severe financial losses.

Technical Details

The initial section of the malicious script sets up an attacker-controlled RSA public key and Ethereum wallet address, which are used to encrypt and transmit the stolen private keys

The transmit() function serves as the core mechanism for exfiltrating stolen private keys. It encrypts the private key and embeds it within an Ethereum transaction, which is then sent through the Polygon RPC endpoint (rpc-amoy[.]polygon.technology/).

The package covertly alters standard Ethereum wallet creation functions by wrapping from_key() and from_mnemonic(), enabling it to exfiltrate credentials in the background.

As a result, even when a user successfully creates an Ethereum account, their private key is secretly stolen and transmitted to the attacker. The malicious function operates in a background thread, further complicating detection.

Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

● Before using any Python package, review its source code and ensure it comes from a trusted and reputable source.

● Use strong passwords and enforce multi-factor authentication wherever possible. • Turn on the automatic software update feature on your computer, mobile, and other connected devices.

● Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.

● Refrain from opening untrusted links and Email attachments without first verifying their authenticity.

● Educate employees on protecting themselves from threats like phishing/untrusted URLs.

● Block URLs that could be used to spread malware, e.g., Torrent/Warez.

● Monitor the beacon on the network level to block data exfiltration by malware or TAs.

● Enable Data Loss Prevention (DLP) Solutions on the employees’ systems

Conclusion

The set-utils package poses a serious threat to Ethereum developers and organizations by silently exfiltrating private keys through blockchain transactions. By disguising itself as a legitimate utility, it exploits standard wallet creation functions, making detection difficult. Developers using Pythonbased blockchain tools must remain vigilant, verify package authenticity, and audit dependencies to prevent such supply chain attacks. If set-utils was installed, immediate action is necessary to secure affected wallets and prevent potential financial losses

#malicious-pypi#pypi#ethereum#developer
3 views

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

F

FPT Metrodata Indonesia Cyber Security

683 posts

FPT Metrodata Indonesia (FMI) provides news, analysis & guides on cybersecurity and threat intelligence for Indonesia & Vietnam. Visit https://news.fmisec.com. FMI: https://fmisec.com