This Malicious PyPI Package Stole Ethereum Private Keys via Polygon RPC Transactions

Avatar
Cybersecurity researchers have discovered a malicious Python package on the Python Package Index (PyPI) repository that’s equipped to steal a victim’s Ethereum private keys by impersonating popular libraries. The package in question is set-utils, which has received 1,077 downloads to date. It’s no longer available for download from the official registry. “Disguised as a simple utility for Python

Cybersecurity researchers have discovered a malicious Python package on the Python Package Index (PyPI) repository that’s equipped to steal a victim’s Ethereum private keys by impersonating popular libraries.

The package in question is set-utils, which has received 1,077 downloads to date. It’s no longer available for download from the official registry.

“Disguised as a simple utility for Python sets, the package mimics widely used libraries like python-utils (712M+ downloads) and utils (23.5M + downloads),” software supply chain security company Socket said.

“This deception tricks unsuspecting developers into installing the compromised package, granting attackers unauthorized access to Ethereum wallets.”

The package aims to target Ethereum developers and organizations working with Python-based blockchain applications, particularly Python-based wallet management libraries like eth-account.

Besides embedding the attacker’s RSA public key to be used for encrypting the stolen data and an Ethereum sender account under their control, the library hooks into wallet creation functions like “from_key()” and “from_mnewmonic()” to intercept private keys as they are generated on the compromised machine.

In an interesting twist, the private keys are exfiltrated within blockchain transactions via the Polygon RPC endpoint “rpc-amoy.polygon.technology” in an attempt to resist traditional detection efforts that monitor for suspicious HTTP requests.

“This ensures that even when a user successfully creates an Ethereum account, their private key is stolen and transmitted to the attacker,” Socket said. “The malicious function runs in a background thread, making detection even more difficult.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

 The Hacker News 

Total
0
Shares
Previous Post

U.S. Secret Service Seizes Russian Garantex Crypto Exchange Website

Next Post

What PCI DSS v4 Really Means – Lessons from A&F Compliance Journey

Related Posts

Ruijie Networks’ Cloud Platform Flaws Could’ve Exposed 50,000 Devices to Remote Attacks

Cybersecurity researchers have discovered several security flaws in the cloud management platform developed by Ruijie Networks that could permit an attacker to take control of the network appliances. "These vulnerabilities affect both the Reyee platform, as well as Reyee OS network devices," Claroty researchers Noam Moshe and Tomer Goldschmidt said in a recent analysis. "The vulnerabilities, if
Avatar
Read More

PCI DSS 4.0 Mandates DMARC By 31st March 2025

The payment card industry has set a critical deadline for businesses handling cardholder data or processing payments- by March 31, 2025, DMARC implementation will be mandatory! This requirement highlights the importance of preventative measures against email fraud, domain spoofing, and phishing in the financial space. This is not an optional requirement as non-compliance may result in monetary
Avatar
Read More

New Golang-Based Backdoor Uses Telegram Bot API for Evasive C2 Operations

Cybersecurity researchers have shed light on a new Golang-based backdoor that uses Telegram as a mechanism for command-and-control (C2) communications. Netskope Threat Labs, which detailed the functions of the malware, described it as possibly of Russian origin. "The malware is compiled in Golang and once executed it acts like a backdoor," security researcher Leandro Fróes said in an analysis
Avatar
Read More