HQ/EMEAFind out how we can help your business
A reportedly malicious Python Index (PyPI) module called “set-utils” has been carrying an Ethereum private key stealer.
Reports revealed that this module can intercept wallet creation routines and exfiltrate them via the Polygon blockchain. The software disguises itself as a Python utility, resembling the popular “python-utils,” which has over 712 million downloads, and “utils,” which has over 23.5 million installations.
Researchers who found the malicious package revealed that set-utils had been downloaded over a thousand times since its arrival on PyPI last January. Moreover, the attacks mainly target blockchain developers that use ‘eth-account’ for wallet creation and maintenance, Python-based DeFi projects, Web3 apps with Ethereum compatibility, and personal wallets that use Python automation.
Because the malicious software targets cryptocurrency projects, even though there were only a thousand downloads, it may affect a much larger number of users who used the app to establish wallets.
The Ethereum private key stealer is a stealthy tool.
According to investigations, the package that carries the Ethereum private key stealer contains the attacker’s RSA public key, which encrypts stolen data, and an Ethereum sender account that the operators control.
In addition, the package intercepts private keys as they are generated on the hacked workstation using standard Ethereum wallet construction routines.
Next, it encrypts the stolen private key and inserts it into the data field of an Ethereum transaction before sending it to the attacker’s account via the Polygon RPC endpoint. Unlike typical network exfiltration methods, inserting stolen data in Ethereum transactions is much more elusive and challenging to identify from authorised activities.
Firewalls and antivirus software typically monitor HTTP requests but not blockchain transactions. This strategy is unlikely to cause any issues or be prohibited.
Furthermore, Polygon transactions have extremely cheap processing fees, no rate limiting applies to tiny transactions, and offer free public RPC endpoints, eliminating the need for threat actors to build their infrastructure.
Once the exfiltration process is complete, the attacker can access the stolen data anytime because it is permanently kept on the blockchain. As of now, the set-utils package was withdrawn from PyPI after its discovery.
However, users and software developers who have already downloaded and integrated it into their projects should uninstall it immediately and presume that any Ethereum wallets created have been compromised.
