Over 1,000 Users Downloaded A PyPI Package That Stole Crypto Private Keys - 1

Image by Traxer, from Unsplash

Over 1,000 Users Downloaded A PyPI Package That Stole Crypto Private Keys

  • Written by Kiara Fabbri Former Tech News Writer
  • Fact-Checked by Sarah Frazier Former Content Manager
  • Reader’s Comments 1

A malicious Python package named “set-utils” was found stealing Ethereum private keys by hijacking wallet creation functions.

In a Rush? Here are the Quick Facts!

  • Attackers exfiltrated stolen keys via the Polygon blockchain to evade detection.
  • Over 1,000 downloads occurred before “set-utils” was removed from PyPI.
  • Compromised wallets remain vulnerable even after uninstalling the package.

The package, which mimics legitimate Python utilities, was uploaded to the Python Package Index (PyPI) on January 29, 2025, and had been downloaded over 1,000 times before its discovery. Security researchers from Socket uncovered the attack and reported their findings.

Disguised as a simple tool for working with sets in Python, set-utils tricked developers into installing it. However, once in use, it silently stole Ethereum private keys and transmitted them to attackers through the Polygon blockchain.

This method makes the attack difficult to detect since most cybersecurity tools monitor traditional network traffic but do not flag blockchain transactions as suspicious.

The attack specifically targeted blockchain developers, decentralized finance (DeFi) projects, crypto exchanges, Web3 applications, and individuals using Python scripts to manage Ethereum wallets.

The package intercepted wallet creation functions in Python-based libraries, such as eth-account, and extracted private keys in the background. These keys were then encrypted using an attacker-controlled RSA public key and sent to the Polygon network through an RPC endpoint, effectively hiding the data in Ethereum transactions.

Unlike conventional phishing attacks or malware, this method bypasses common cybersecurity defenses. Since Ethereum transactions are permanent, attackers can retrieve stolen keys at any time.

Even if a user uninstalls the package, their wallets remain compromised. Any Ethereum accounts created while set-utils was active should be considered unsafe, and users are urged to transfer their funds to a new, secure wallet immediately.

Another stealth feature of the attack was its ability to modify standard wallet creation functions without the user noticing. The malicious code wrapped around normal Ethereum account generation functions, running in the background while the user continued to work. This ensured that every newly created wallet had its private key stolen.

Following its discovery, set-utils was removed from PyPI, but the risk remains for anyone who installed it before the takedown. Security experts advise checking Python environments for the package and scanning for any unauthorized wallet access.

The incident highlights the growing threat of supply chain attacks in the open-source ecosystem, where malicious software is disguised as helpful tools, putting developers and their projects at risk.

Pentagon Taps AI for Military Planning With Thunderforge Project - 2

Image by Wiyre Media, from Flickr

Pentagon Taps AI for Military Planning With Thunderforge Project

  • Written by Kiara Fabbri Former Tech News Writer
  • Fact-Checked by Sarah Frazier Former Content Manager

The U.S. Department of Defense has awarded a contract to Scale AI to develop Thunderforge , an AI project intended to support military planning and decision-making.

In a Rush? Here are the Quick Facts!

  • Thunderforge aims to modernize military decision-making using AI-driven analysis and automation.
  • Initial rollout includes INDOPACOM and EUCOM, with expansion planned for all commands.
  • Scale AI partners with Anduril and Microsoft to develop AI-powered military planning tools.

Led by the Defense Innovation Unit (DIU), the initiative aims to enhance operational and strategic analysis through AI-driven simulations and recommendations.

Thunderforge is designed to improve planning efficiency by addressing what DIU’s project leader Bryce Goodman describes as a gap between the speed of contemporary conflicts and traditional military decision-making.

“Today’s military planning processes rely on decades-old technology and methodologies,” Goodman said, according to the DIU blog . “Thunderforge allows decision-makers to operate at the pace required for emerging conflicts,” he added.

The system will initially be deployed within U.S. Indo-Pacific Command (INDOPACOM) and U.S. European Command (EUCOM), with plans for broader implementation across all 11 combatant commands.

Thunderforge’s AI tools will assist in mission planning, resource allocation, and strategic analysis, using large language models (LLMs) and simulations to refine recommendations. Despite AI integration, the DIU blog claims that the military commanders will retain ultimate decision-making authority.

Scale AI will oversee the project in collaboration with Anduril, Microsoft, and other technology firms. Anduril’s Lattice software and Microsoft’s LLMs will be integrated into the system, while Scale AI will contribute expertise in generative AI and automated decision-support tools.

“Our AI solutions will transform today’s military operating process and modernize American defense,” said Scale AI CEO Alexandr Wang, as reported by The Register.

The initiative has raised concerns regarding AI reliability and ethical implications in military applications. The Register reports that critics emphasize the need for safeguards to prevent unintended consequences in high-stakes scenarios.

DIU has emphasized that Thunderforge is designed with mechanisms for transparency, allowing users to trace AI decision-making processes and assess confidence levels. “Accuracy and reliability are core design principles, and maintaining human oversight is critical,” a DIU spokesperson said, as reported by The Register.

The use of AI in defense remains a topic of debate. Companies such as Google and Microsoft have previously faced employee opposition to military contracts involving AI, with some questioning the role of AI in warfare and surveillance, as noted by The Register.

However, defense officials argue that AI adoption is necessary to maintain a strategic advantage, particularly as other nations invest in similar technologies.

Dan Tadross, Scale AI’s head of federal delivery and a former Marine, underscored the need for modernization. “The planning and operational process for the U.S. military has not evolved since Napoleon,” he said, as reported by The Washington Post .

“After years of theorizing that AI could help military planning, the technology is now at the point where it can actually be helpful,” he added.