This Malicious PyPI Package Stole Ethereum Private Keys via Polygon RPC Transactions

Avatar
Cybersecurity researchers have discovered a malicious Python package on the Python Package Index (PyPI) repository that’s equipped to steal a victim’s Ethereum private keys by impersonating popular libraries. The package in question is set-utils, which has received 1,077 downloads to date. It’s no longer available for download from the official registry. “Disguised as a simple utility for Python

Cybersecurity researchers have discovered a malicious Python package on the Python Package Index (PyPI) repository that’s equipped to steal a victim’s Ethereum private keys by impersonating popular libraries.

The package in question is set-utils, which has received 1,077 downloads to date. It’s no longer available for download from the official registry.

“Disguised as a simple utility for Python sets, the package mimics widely used libraries like python-utils (712M+ downloads) and utils (23.5M + downloads),” software supply chain security company Socket said.

“This deception tricks unsuspecting developers into installing the compromised package, granting attackers unauthorized access to Ethereum wallets.”

The package aims to target Ethereum developers and organizations working with Python-based blockchain applications, particularly Python-based wallet management libraries like eth-account.

Besides embedding the attacker’s RSA public key to be used for encrypting the stolen data and an Ethereum sender account under their control, the library hooks into wallet creation functions like “from_key()” and “from_mnewmonic()” to intercept private keys as they are generated on the compromised machine.

In an interesting twist, the private keys are exfiltrated within blockchain transactions via the Polygon RPC endpoint “rpc-amoy.polygon.technology” in an attempt to resist traditional detection efforts that monitor for suspicious HTTP requests.

“This ensures that even when a user successfully creates an Ethereum account, their private key is stolen and transmitted to the attacker,” Socket said. “The malicious function runs in a background thread, making detection even more difficult.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

 The Hacker News 

Total
0
Shares
Previous Post

U.S. Secret Service Seizes Russian Garantex Crypto Exchange Website

Next Post

What PCI DSS v4 Really Means – Lessons from A&F Compliance Journey

Related Posts

Dutch DPA Fines Netflix €4.75 Million for GDPR Violations Over Data Transparency

The Dutch Data Protection Authority (DPA) on Wednesday fined video on-demand streaming service Netflix €4.75 million ($4.93 million) for not giving consumers enough information about how it used their data between 2018 and 2020. An investigation launched by the DPA in 2019 found that the tech giant did not inform customers clearly enough in its privacy statement about what it does with the data
Avatar
Read More

DoJ Indicts 14 North Koreans for $88M IT Worker Fraud Scheme Over Six Years

The U.S. Department of Justice (DoJ) has indicted 14 nationals belonging to the Democratic People's Republic of Korea (DPRK or North Korea) for their alleged involvement in a long-running conspiracy to violate sanctions and commit wire fraud, money laundering, and identity theft by illegally seeking employment in U.S. companies and non-profit organizations. "The conspirators, who worked for
Avatar
Read More

Microsoft Identifies 3,000+ Publicly Disclosed ASP.NET Machine Keys Vulnerable to Code Injection

Microsoft is warning of an insecure practice wherein software developers are incorporating publicly disclosed ASP.NET machine keys from publicly accessible resources, thereby putting their applications in attackers' pathway. The tech giant's threat intelligence team said it observed limited activity in December 2024 that involved an unknown threat actor using a publicly available, static ASP.NET
Avatar
Read More