A new malicious package discovered in the Python Package Index (PyPI) was found to impersonate a popular symbolic mathematics library and deploy a malicious payload, including a cryptocurrency miner, to Linux hosts.
The package, named sympy-dev, mimics SymPy and copies SymPy’s project description exactly in an attempt to trick unsuspecting users into thinking they are downloading a “development version” of the library. It was first published on January 17, 2026 and has since been downloaded over 1,100 times.
While download numbers are not a reliable metric for measuring infection numbers, this number may suggest that some developers may have fallen victim to a malicious campaign. This package is still available for download at the time of writing.
According to Socket, the original library has been modified to act as a downloader for the XMRig cryptocurrency miner on compromised systems. This malicious behavior is designed to be unnoticeable and to only be triggered when a specific polynomial routine is called.
“Once the backdoor functionality is invoked, it retrieves a remote JSON configuration, downloads an attacker-controlled ELF payload, and executes it from an anonymous memory-backed file descriptor using Linux memfd_create and /proc/self/fd. This reduces on-disk artifacts,” security researcher Kirill Boychenko said in an analysis Wednesday.
The modified function is used to run the downloader and retrieve the remote JSON configuration and ELF payload from ‘63.250.56’.[.]54″ and launches the ELF binary and configuration directly into memory to avoid leaving any artifacts on disk. This technique was previously employed in cryptojacking campaigns organized by FritzFrog and Mimo.
The ultimate goal of the attack is to download two Linux ELF binaries designed to mine cryptocurrencies using XMRig on Linux hosts.
“Both captured configurations use an XMRig-compatible schema that enables CPU mining, disables the GPU backend, and directs miners to Stratum via a TLS endpoint on port 3333 hosted on an IP address controlled by the same threat actor,” Socket said.
“While cryptomining was observed in this campaign, the Python implant acts as a general-purpose loader that can fetch and execute arbitrary second-stage code under the privileges of the Python process.”
Source link
