A newly discovered malicious package in the Python Package Index (PyPI) impersonates a popular symbolic mathematics library to deploy harmful payloads, including a cryptocurrency miner, on Linux hosts.
Fake “sympy-dev” Masquerades as Legitimate Library
Specifically, the package, named sympy-dev, mimics SymPy by copying the legitimate project’s description verbatim in an effort to deceive unsuspecting users into believing they are downloading a “development version” of the library. Since its initial publication on January 17, 2026, the package has amassed more than 1,100 downloads.
Although download counts do not reliably measure infection rates, the number nonetheless suggests that some developers may have fallen victim to the malicious campaign. Notably, the package remains available for download at the time of writing.
Stealthy Payload Delivery via Modified Functions
According to Socket, the threat actor modified the original library to function as a downloader for an XMRig cryptocurrency miner on compromised systems. To remain covert, the malicious logic activates only when users call specific polynomial routines, allowing it to evade casual detection.
“When invoked, the backdoored functions retrieve a remote JSON configuration, download a threat actor-controlled ELF payload, then execute it from an anonymous memory-backed file descriptor using Linux memfd_create and /proc/self/fd, which reduces on-disk artifacts,” security researcher Kirill Boychenko said in a Wednesday analysis.
The altered functions execute a downloader that retrieves a remote JSON configuration and an ELF payload from “63.250.56[.]54,” then launches the ELF binary along with the configuration directly in memory to avoid leaving artifacts on disk. Previously, cryptojacking campaigns such as FritzFrog and Mimo have adopted this same technique.
Ultimately, the attack aims to download two Linux ELF binaries designed to mine cryptocurrency using XMRig on Linux hosts.
“Both retrieved configurations use an XMRig compatible schema that enables CPU mining, disables GPU backends, and directs the miner to Stratum over TLS endpoints on port 3333 hosted on the same threat actor-controlled IP addresses,” Socket said.
“Although we observed cryptomining in this campaign, the Python implant functions as a general purpose loader that can fetch and execute arbitrary second stage code under the privileges of the Python process.”
Source: TheHackerNews
Read more at Impreza News
