Cybersecurity researchers have discovered malicious Python packages in the Python Package Index (PYPI) repository. It is equipped to steal victims’ Ethereum private keys by impersonating a popular library.
The package in question is Settil, which has received 1,077 downloads so far. It is no longer possible to download from the official registry.
“The package impersonating a simple utility in the Python set mimics widely used libraries such as Python-Utils (712m++download) and Util (23.5m+download).”
“This deception reduces unsuspecting developers to install compromised packages and allows attackers to unauthorized access to Ethereum wallets.”
This package is intended for Python-based blockchain applications, particularly Ethereum developers and organizations using Python-based wallet management libraries such as Eth-Account.
In addition to embedding the attacker’s RSA public key, it also uses to control stolen data and Ethereum Sender accounts, the library connects to wallet creation features such as “from_key()” and “from_mnewmonic()” to intercept private keys generated on confused machines.
With an interesting twist, the private key is excluded within the blockchain transaction via the polygon RPC endpoint “RPC-Amoy.Polygon.Technology” to resist traditional detection efforts to monitor suspicious HTTP requests.
“This ensures that even if a user successfully creates an Ethereum account, the private key will be stolen and sent to the attacker,” says Socket. “Malicious functions run in the background thread, making detection even more difficult.”
Source link
