A malicious Python Package Index (PyPI) package named “set-utils” has been discovered stealing Ethereum private keys by intercepting wallet creation functions and exfiltrating them via the Polygon blockchain. Disguised as a utility for Python, it mimics popular packages like “python-utils” and “utils,” which have millions of downloads. 

Researchers from the developer cybersecurity platform Socket identified the malicious package, reporting that “set-utils” had been downloaded over a thousand times since its submission on PyPI on January 29, 2025. The attacks primarily target blockchain developers utilizing ‘eth-account’ for wallet creation and management, Python-based DeFi projects, Web3 apps with Ethereum support, and personal wallets using Python automation. 

Stealthy Ethereum Key Theft

The “set-utils” package embeds the attacker’s RSA public key for encrypting stolen data and an Ethereum sender account controlled by the attacker. It hooks into standard Ethereum wallet creation functions like ‘from_key()’ and ‘from_mnemonic()’ to intercept private keys as they are generated on the compromised machine. The stolen private keys are then encrypted and embedded in the data field of an Ethereum transaction before being sent to the attacker’s account via the Polygon RPC endpoint. 

This method of embedding stolen data in Ethereum transactions is stealthier and more challenging to distinguish from legitimate activity compared to traditional network exfiltration methods. Firewalls and antivirus tools typically monitor HTTP requests but not blockchain transactions, making this method unlikely to raise any flags or get blocked. Additionally, Polygon transactions have very low processing fees, no rate limiting applies to small transactions, and they offer free public RPC endpoints, so the threat actors do not need to set up their own infrastructure.

Once the exfiltration process is complete, the attacker can retrieve the stolen data at any time, as it is permanently stored on the blockchain. The “set-utils” package has been removed from PyPI following its discovery. However, users and software developers who incorporated it into their projects should uninstall it immediately and assume that any Ethereum wallets created are compromised. If the affected wallets contain funds, it is recommended to move them to another wallet as soon as possible, as they are at risk of being stolen at any moment.