Security researchers at Socket Security have uncovered a sophisticated supply chain attack targeting cryptocurrency developers through the Python Package Index (PyPI). The malicious package, named ‘set-utils’, masqueraded as legitimate Python utilities while specifically targeting Ethereum wallet developers to steal private keys through an innovative blockchain-based exfiltration method.
Advanced Private Key Interception Mechanism
The malware authors implemented a sophisticated key harvesting mechanism by injecting malicious code into standard Ethereum wallet creation functions. The package specifically targeted the from_key() and from_mnemonic() methods, intercepting private keys during the wallet generation process. The stolen credentials were immediately encrypted using an embedded RSA public key, ensuring that only the attackers could access the compromised data.
Innovative Blockchain-Based Data Exfiltration
What sets this attack apart is its ingenious use of the Polygon blockchain network for data exfiltration. The attackers leveraged the rpc-amoy.polygon.technology public RPC endpoint to transmit encrypted private keys within Ethereum transaction data fields. This novel approach effectively bypassed traditional security monitoring systems that primarily focus on HTTP traffic analysis.
Impact Assessment and Target Profile
The malicious package accumulated 1,077 downloads since January 29, 2025, primarily affecting three key groups: Python-based DeFi project developers, Ethereum-compatible Web3 application creators, and cryptocurrency automation specialists. This targeted approach demonstrates the attackers’ sophisticated understanding of the cryptocurrency development ecosystem.
Strategic Use of Polygon Network
The selection of the Polygon blockchain for data exfiltration reveals the attackers’ strategic thinking. The network’s characteristics, including minimal transaction fees, high transaction frequency tolerance, and free public RPC endpoints, provided an ideal infrastructure for the attack while minimizing operational costs and detection risks.
While the malicious package has been removed from PyPI, the incident highlights the growing sophistication of supply chain attacks in the cryptocurrency ecosystem. Organizations using the set-utils package must immediately remove it from their projects and consider all Ethereum wallets created with this package compromised. Immediate action is required to transfer assets to new wallets generated using verified tools. This incident serves as a crucial reminder for developers to implement robust dependency verification processes and maintain vigilant security practices when working with cryptocurrency-related code.
