03/04/2025
Python package ‘set-utils’ targets Ethereum wallets
A malicious package designed to steal private keys for Ethereum wallets has been uncovered within the Python Package Index (PyPI).
According to Socket, this package – named ‘set-utils’ – masquerades as a utility for Python sets and has been actively targeting developers.
“The Socket Research Team has discovered a malicious PyPI package, set-utils, designed to steal Ethereum private keys by exploiting commonly used account creation functions,” the team stated.
This package mimics popular libraries such as ‘python-utils’ and ‘utils,’ tricking developers into installing the compromised software.
Since its appearance on January 29, 2025, ‘set-utils’ has been downloaded over 1,000 times, posing a serious threat to Ethereum users and developers—particularly those working with Python-based wallet management libraries like ‘eth-account’.
How the attack compromises Ethereum wallets
The malicious package operates by intercepting Ethereum account creation processes. It exfiltrates private keys by abusing the Polygon RPC endpoint as a Command and Control (C2) server. This method allows attackers to discreetly extract stolen credentials through blockchain transactions.
The attack primarily targets:
Blockchain developers using ‘eth-account’ for wallet creation and management
DeFi (Decentralised Finance) projects relying on Python scripts for account generation
Crypto exchanges and Web3 applications integrating Ethereum transactions
Individuals managing personal Ethereum wallets using Python automation