A brand new malicious package deal found within the Python Bundle Index (PyPI) has been discovered to impersonate a well-liked library for symbolic arithmetic to deploy malicious payloads, together with a cryptocurrency miner, on Linux hosts.
The package deal, named sympy-dev, mimics SymPy, replicating the latter’s undertaking description verbatim in an try and deceive unsuspecting customers into pondering that they’re downloading a “improvement model” of the library. It has been downloaded over 1,100 occasions because it was first revealed on January 17, 2026.
Though the obtain depend just isn’t a dependable yardstick for measuring the variety of infections, the determine doubtless suggests some builders might have fallen sufferer to the malicious marketing campaign. The package deal stays out there for obtain as of writing.
In accordance with Socket, the unique library has been modified to behave as a downloader for an XMRig cryptocurrency miner on compromised techniques. The malicious habits is designed to set off solely when particular polynomial routines are referred to as in order to fly underneath the radar.
“When invoked, the backdoored capabilities retrieve a distant JSON configuration, obtain a menace actor-controlled ELF payload, then execute it from an nameless memory-backed file descriptor utilizing Linux memfd_create and /proc/self/fd, which reduces on-disk artifacts,” safety researcher Kirill Boychenko mentioned in a Wednesday evaluation.
The altered capabilities are used to execute a downloader, which fetches a distant JSON configuration and an ELF payload from “63.250.56[.]54,” after which launches the ELF binary together with the configuration as enter immediately in reminiscence to keep away from leaving artifacts on disk. This memory-resident approach has been beforehand noticed in cryptojacking campaigns orchestrated by FritzFrog and Mimo.
The tip objective of the assault is to obtain two Linux ELF binaries which are designed to mine cryptocurrency utilizing XMRig on Linux hosts.
“Each retrieved configurations use an XMRig suitable schema that permits CPU mining, disables GPU backends, and directs the miner to Stratum over TLS endpoints on port 3333 hosted on the identical menace actor-controlled IP addresses,” Socket mentioned.
“Though we noticed cryptomining on this marketing campaign, the Python implant capabilities as a common objective loader that may fetch and execute arbitrary second stage code underneath the privileges of the Python course of.”
Replace
The Python package deal is not out there for obtain from PyPI as of January 24, 2026.
