Cybersecurity researchers have uncovered a malicious Python package in the Python Package Index (PyPI) repository, designed to steal Ethereum private keys by exploiting Polygon RPC transactions. The package, named set-utils, has been downloaded 1,077 times before being removed from the official registry.
Disguised as a simple utility for Python sets, set-utils mimics widely used libraries like python-utils (with over 712 million downloads) and utils (23.5 million+ downloads). This deception tricks unsuspecting developers into installing the compromised package, granting attackers unauthorized access to Ethereum wallets.
Targeting Ethereum Developers
The malicious package specifically targets Ethereum developers and organizations utilizing Python-based blockchain applications. It is particularly aimed at those using Python-based wallet management libraries such as eth-account.
Beyond impersonating legitimate libraries, the package embeds the attacker’s RSA public key to encrypt stolen data. It also includes an Ethereum sender account controlled by the attacker. The malicious package hooks into wallet creation functions like from_key() and from_mnemonic(), allowing it to intercept private keys as they are generated on compromised machines.
Clever Evasion Tactics: Exfiltrating Private Keys via Polygon RPC
The attack takes an interesting twist by exfiltrating the stolen private keys within blockchain transactions through the Polygon RPC endpoint “rpc-amoy.polygon.technology.” This method circumvents traditional detection efforts that monitor for suspicious HTTP requests. By sending the private keys through blockchain transactions, attackers make it significantly harder for conventional security tools to spot the exfiltration.
"This ensures that even when a user successfully creates an Ethereum account, their private key is stolen and transmitted to the attacker," said Socket, the software supply chain security firm that discovered the malicious package. The malicious function runs in a background thread, making detection even more challenging.
Conclusion: A Rising Threat to Blockchain Security
This attack highlights the growing risks of compromised Python packages and the vulnerabilities they pose to blockchain developers. Developers must remain vigilant about the packages they install and ensure they are sourced from trusted repositories to safeguard their Ethereum wallets and blockchain applications.