Open-Source Threat: The “set-utils” Package
In the big, collaborative world of open-source software, a new danger has shown up. It’s targeting a very secure and spread-out system called Ethereum. A bad Python package named “set-utils” was found on the Python Package Index (PyPI). This package was made to steal Ethereum private keys. It’s been downloaded over 1,000 times since it was put on PyPI on January 29, 2025[1][2]. This is a big problem because even if not many people download it, it can still affect many users who use these packages to make and manage their wallets.
How the Bad Package Works
The “set-utils” package pretends to be a useful tool for Python, looking like popular packages like “python-utils” and “utils”[1]. But its real job is to catch Ethereum wallet creation functions. It targets people who make blockchain things and use Python to manage their wallets[2]. It sneaks into normal Ethereum wallet creation functions like `from_key()` and `from_mnemonic()` to catch private keys when they’re made on a computer that’s been hacked[1].
Once a private key is caught, it’s hidden using the hacker’s RSA public key and put into an Ethereum transaction. This transaction is then sent to the hacker’s account using the Polygon RPC endpoint “rpc-amoy.polygon.technology/”[1]. This way of hiding the key is hard to spot because it uses blockchain transactions, which aren’t usually watched by firewalls or antivirus tools[1].
Who’s in Danger?
The main targets of this attack are people who use ‘eth-account’ to make and manage their wallets, Python-based DeFi projects, Web3 apps that work with Ethereum, and personal wallets that use Python to automate things[1]. Even if not many people download the bad package, the impact could be big because these apps can make lots of wallets, and each one could be at risk[1].
What to Do
After the bad package was found, it was taken off PyPI. But if you used it in your projects, you should take it off right away and assume that any Ethereum wallets you made are now at risk[1]. If these wallets have money in them, you should move it to another wallet as soon as you can to stop it from being stolen[1].
Keeping Open-Source Safe
The “set-utils” problem shows that open-source places like PyPI can have weaknesses that bad people can use. To stop this from happening again, smart tools like DySec are being made. DySec is a machine learning tool that can find bad packages in real-time[4]. As the digital world changes, it’s important to keep these places safe to protect users and keep trust in open-source software.
Sources: Bleeping Computer, Daily.dev, Wilder Security, arXiv