Full Report
A malicious Python Package Index (PyPI) package named "set-utils" has been stealing Ethereum private keys through intercepted wallet creation functions and exfiltrating them via the Polygon blockchain. [...]
Analysis Summary
# Tool/Technique: Malicious 'set-utils' PyPI Package
## Overview
A malicious Python package named 'set-utils' was submitted to the Python Package Index (PyPI) specifically designed to steal Ethereum private keys from developers working on related projects (e.g., DeFi, Web3 apps). It achieves stealth by embedding the stolen keys within legitimate-looking Ethereum transactions sent to an attacker-controlled address via the Polygon RPC endpoint.
## Technical Details
- Type: Malware (Supply Chain Poisoning/Package)
- Platform: Python environments, targeting applications using Ethereum functionalities.
- Capabilities: Intercepting and exfiltrating Ethereum private keys through blockchain transactions.
- First Seen: Submitted to PyPI on January 29, 2025 (according to the context).
## MITRE ATT&CK Mapping
This activity primarily focuses on credential access and data exfiltration using unconventional means.
- **TA0006 - Credential Access**
- T1003 - OS Credential Dumping (Specific application credential theft)
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel (Using the Polygon blockchain as the covert channel)
## Functionality
### Core Capabilities
- **Hooking Wallet Functions**: The package hooks standard Ethereum wallet creation functions (`from_key()` and `from_mnewmonic()`) within libraries like 'eth-account' to capture keys upon generation.
- **Encryption**: Stolen private keys are encrypted using the attacker's embedded RSA public key.
- **Transaction Embedment**: The encrypted private key is embedded within the data field of an Ethereum transaction.
### Advanced Features
- **Covert Exfiltration**: Data is exfiltrated via the Polygon RPC endpoint (`rpc-amoy.polygon.technology/`) rather than traditional network protocols (HTTP/S), bypassing standard firewall/AV monitoring for network traffic.
- **Persistence on Blockchain**: The stolen data is permanently stored on the blockchain, allowing retrieval by the attacker at any time.
- **Infrastructure Avoidance**: Utilizing free, public Polygon RPC endpoints avoids the need for the attacker to maintain and sustain their own dedicated C2 infrastructure.
## Indicators of Compromise
- File Hashes: [Not provided in the context]
- File Names: 'set-utils' (PyPI package name)
- Registry Keys: [Not applicable/provided]
- Network Indicators:
- C2 Endpoint: `rpc-amoy.polygon.technology/` (Defanged: `rpc-amoy[.]polygon[.]technology[/]`)
- Behavioral Indicators:
- Execution logic interacting with or modifying functions related to Ethereum key generation (e.g., `from_key`, `from_mnewmonic`).
- Outbound transactions containing large, encrypted data payloads sent to an attacker-controlled Ethereum sender account via the specified RPC endpoint.
## Associated Threat Actors
- [Not explicitly named in the context, described as threat actors using supply chain attacks.]
## Detection Methods
- Signature-based detection: Yara/Antivirus rules targeting the presence of the 'set-utils' package installation or files associated with it.
- Behavioral detection: Monitoring for Python scripts that interact with key generation libraries and subsequently initiate uncharacteristic outbound transactions (especially via non-standard C2 vectors like public RPC endpoints).
- YARA rules: [Not provided in the context]
## Mitigation Strategies
- **Immediate Uninstallation**: Users who incorporated the package must uninstall it immediately.
- **Compromised Wallet Migration**: Assume any wallet created on the compromised system after the installation of the package is compromised. Funds must be moved to a new, secure wallet immediately.
- **Dependency Scanning**: Implement strict dependency scanning and validation processes for all open-source packages sourced from PyPI, particularly for packages that exhibit unusual installation or execution logic.
## Related Tools/Techniques
- Supply Chain Poisoning: Other tactics involving injecting malicious code into legitimate software repositories (e.g., npm, RubyGems).
- Covert Channel Exfiltration: Using legitimate application protocols or services (like DNS or cryptocurrency transactions) to bypass network security monitoring.