Full Report
Cybersecurity researchers have discovered a malicious Python package on the Python Package Index (PyPI) repository that's equipped to steal a victim's Ethereum private keys by impersonating popular libraries. The package in question is set-utils, which has received 1,077 downloads to date. It's no longer available for download from the official registry. "Disguised as a simple utility for Python
Analysis Summary
# Tool/Technique: set-utils PyPI Package Malware
## Overview
A malicious Python package uploaded to the Python Package Index (PyPI) repository, disguised as a utility library named `set-utils`. Its primary purpose is to steal Ethereum private keys from compromised systems, particularly those of Python blockchain application developers.
## Technical Details
- Type: Malware (Supply Chain Compromise/Package)
- Platform: Python environments, targeting developers using blockchain libraries like `eth-account`.
- Capabilities: Impersonation of popular libraries (`python-utils`, `utils`), hooking wallet generation functions, encrypting stolen keys using an attacker-provided RSA public key, and exfiltrating data via Polygon RPC transactions.
- First Seen: March 07, 2025 (Date of article publication)
## MITRE ATT&CK Mapping
- T1566 - Phishing (Indirectly, via software supply chain trust)
- T1566.003 - Spearphishing Link (Installation relies on downloading a trusted seeming package)
- T1056 - Input Capture
- T1056.001 - Keylogging (Capturing cryptographic secrets during generation)
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (Using RPC transactions for C2/Exfiltration)
- T1571 - Non-Standard Port (If RPC traffic uses non-standard channels, though standard HTTPS/RPC is implied) -- *Note: Exfiltration relies on standard web protocols but used unconventionally.*
## Functionality
### Core Capabilities
- **Impersonation:** Disguised itself as `set-utils` while mimicking popular packages like `python-utils` and `utils` to deceive developers.
- **Key Interception:** Hooks into common wallet creation functions (e.g., `from_key()`, `from_mnemonic()`) utilized by libraries like `eth-account` to capture private keys *as they are generated*.
- **Data Encryption:** Encrypts the stolen private keys using the attacker's embedded RSA public key.
### Advanced Features
- **Stealthy Exfiltration:** Exfiltrates the encrypted private keys embedded within legitimate-looking blockchain transactions sent to the Polygon RPC endpoint. This technique aims to bypass traditional network monitoring tools focused on suspicious HTTP requests.
- **Asynchronous Execution:** The malicious function operates within a background thread, further complicating detection efforts.
## Indicators of Compromise
- File Hashes: [Not explicitly provided in text]
- File Names: `set-utils` (PyPI Package Name)
- Registry Keys: [Not applicable/Provided]
- Network Indicators: `rpc-amoy.polygon.technology` (Exfiltration Endpoint - **Defanged**)
- Behavioral Indicators: Execution of code within wallet generation functions, background thread activity, transaction generation targeting the specified RPC endpoint carrying encrypted data.
## Associated Threat Actors
- Unnamed threat actors/attackers, discovered by Socket security researchers.
## Detection Methods
- Signature-based detection: Checking for presence of the `set-utils` package version containing malicious code.
- Behavioral detection: Monitoring for background thread execution spawned by utility libraries during cryptographic key generation, specifically connections made to the Polygon RPC endpoint which are not standard application behavior.
- YARA rules: [Not available in text]
## Mitigation Strategies
- **Source Verification:** Only install packages from trusted sources and verify dependency integrity, especially for newly uploaded or low-download count packages on public repositories like PyPI.
- **Supply Chain Security:** Utilizing dependency monitoring tools that check for package deception or suspicious behaviors before installation/use.
- **Network Monitoring:** Implementing egress filtering or deep packet inspection to monitor outbound traffic, even if it leverages standard protocols (like HTTPS/RPC), for embedded secrets or unusual payload structures.
## Related Tools/Techniques
- Software Supply Chain Attacks (General category)
- PyPI Package Hijacking/Typosquatting (Related compromise vectors)
- Cryptojacking/Secret Harvesting Malware