Over 1,000 Users Downloaded A PyPI Package That Stole Crypto Private Keys

A malicious Python package named “set-utils” was found stealing Ethereum private keys by hijacking wallet creation functions.

The package, which mimics legitimate Python utilities, was uploaded to the Python Package Index (PyPI) on January 29, 2025, and had been downloaded over 1,000 times before its discovery. Security researchers from Socket uncovered the attack and reported their findings.

Disguised as a simple tool for working with sets in Python, set-utils tricked developers into installing it. However, once in use, it silently stole Ethereum private keys and transmitted them to attackers through the Polygon blockchain.

This method makes the attack difficult to detect since most cybersecurity tools monitor traditional network traffic but do not flag blockchain transactions as suspicious.

The attack specifically targeted blockchain developers, decentralized finance (DeFi) projects, crypto exchanges, Web3 applications, and individuals using Python scripts to manage Ethereum wallets.

The package intercepted wallet creation functions in Python-based libraries, such as eth-account, and extracted private keys in the background. These keys were then encrypted using an attacker-controlled RSA public key and sent to the Polygon network through an RPC endpoint, effectively hiding the data in Ethereum transactions.

Unlike conventional phishing attacks or malware, this method bypasses common cybersecurity defenses. Since Ethereum transactions are permanent, attackers can retrieve stolen keys at any time.

Even if a user uninstalls the package, their wallets remain compromised. Any Ethereum accounts created while set-utils was active should be considered unsafe, and users are urged to transfer their funds to a new, secure wallet immediately.

Another stealth feature of the attack was its ability to modify standard wallet creation functions without the user noticing. The malicious code wrapped around normal Ethereum account generation functions, running in the background while the user continued to work. This ensured that every newly created wallet had its private key stolen.

Following its discovery, set-utils was removed from PyPI, but the risk remains for anyone who installed it before the takedown. Security experts advise checking Python environments for the package and scanning for any unauthorized wallet access.

The incident highlights the growing threat of supply chain attacks in the open-source ecosystem, where malicious software is disguised as helpful tools, putting developers and their projects at risk.