Ethereum private key stealer on Pypi has downloaded from 1,000 times

A malignant Python Package Index (PYPI) package called “Set-Utils” stolen Ethereum buttons through intercepted item pocket creation functions and initiated them via the polygon blockchain.

The package dresses up as a utility program for Python and imitates the popular “Python Uutils”, which contains over 712 million downloads and “utils”, which counts over 23.5 million installations.

Researchers of the developer Cybersecurity Platform Socket discovered the malicious package and reported that Set-Utils had been downloaded over a thousand times on January 29, 2025.

The open source security company for the supply chain reports that the attacks are primarily aimed at blockchain developers, with the ETH account for the creation and management of Python-based defi projects, web3 apps with ethereum support and personal items to be used with python automation.

Since the malicious package aims at cryptocurrency projects, it could affect a much larger number of people who used the applications for generation of toll pockets.

Stealthy Ethereum Keys theft

The malignant set-utils package has the public key of the attacker for encryption stolen data and an Ethereum socket account controlled by the attacker.

The package is included in the standard functions of Ethereum Wallet creation functions such as “from_Key ()” and “From_Mnewmonic ()” to intercept private keys, as generated on the compromised machine.

Then it encrypted the stolen private key and inserts it into the data field of an Ethereum transaction before sending it to the attacker's account via the polygon RPC endpoint “RPC-amoy.Polygon.technology/.”

Compared to conventional network exfiltration methods, the embedding of stolen data in Ethereum transactions is far more hidden and difficult to distinguish from legitimate activities.

Firewalls and antiviruses usually monitor HTTP requirements, but no blockchain transactions. It is therefore unlikely that this method will be increased or blocked any flags.

In addition, polygon transactions have very low processing fees, no installment limitation for small transactions and offer free public RPC endpoints, so that the threats do not have to set up their own infrastructure.

As soon as the ex -filtration process has been completed, the attacker can call up the stolen data at any time because the stolen information is permanently saved on the blockchain.

The SET UTILS package was removed after its discovery by Pypi. However, users and software developers who have integrated into their projects should immediately uninstall it and assume that all the Ethereum money exchanges created are at risk.

If the items mentioned contain agents, it is recommended to move them to another wallet as soon as possible, as they have the risk of being stolen at any moment.