The package hooks into standard Ethereum wallet creation functions like 'from_key ()' and 'from_mnewmonic ()' to intercept private keys as they are generated on the compromised machine.