Article Details
Scrape Timestamp (UTC): 2026-01-22 10:10:29.180
Source: https://thehackernews.com/2026/01/malicious-pypi-package-impersonates.html
Original Article Text
Click to Toggle View
Malicious PyPI Package Impersonates SymPy, Deploys XMRig Miner on Linux Hosts. A new malicious package discovered in the Python Package Index (PyPI) has been found to impersonate a popular library for symbolic mathematics to deploy malicious payloads, including a cryptocurrency miner, on Linux hosts. The package, named sympy-dev, mimics SymPy, replicating the latter's project description verbatim in an attempt to deceive unsuspecting users into thinking that they are downloading a "development version" of the library. It has been downloaded over 1,100 times since it was first published on January 17, 2026. Although the download count is not a reliable yardstick for measuring the number of infections, the figure likely suggests some developers may have fallen victim to the malicious campaign. The package remains available for download as of writing. According to Socket, the original library has been modified to act as a downloader for an XMRig cryptocurrency miner on compromised systems. The malicious behavior is designed to trigger only when specific polynomial routines are called so as to fly under the radar. "When invoked, the backdoored functions retrieve a remote JSON configuration, download a threat actor-controlled ELF payload, then execute it from an anonymous memory-backed file descriptor using Linux memfd_create and /proc/self/fd, which reduces on-disk artifacts," security researcher Kirill Boychenko said in a Wednesday analysis. The altered functions are used to execute a downloader, which fetches a remote JSON configuration and an ELF payload from "63.250.56[.]54," and then launches the ELF binary along with the configuration as input directly in memory to avoid leaving artifacts on disk. This technique has been previously adopted by cryptojacking campaigns orchestrated by FritzFrog and Mimo. The end goal of the attack is to download two Linux ELF binaries that are designed to mine cryptocurrency using XMRig on Linux hosts. "Both retrieved configurations use an XMRig compatible schema that enables CPU mining, disables GPU backends, and directs the miner to Stratum over TLS endpoints on port 3333 hosted on the same threat actor-controlled IP addresses," Socket said. "Although we observed cryptomining in this campaign, the Python implant functions as a general purpose loader that can fetch and execute arbitrary second stage code under the privileges of the Python process."
Daily Brief Summary
A malicious package named sympy-dev was discovered on PyPI, impersonating the legitimate SymPy library to deploy harmful payloads on Linux hosts.
The package has been downloaded over 1,100 times since its release, indicating potential widespread impact among developers.
The malicious package modifies the original library to act as a downloader for the XMRig cryptocurrency miner, targeting specific polynomial routines to remain undetected.
When triggered, the backdoored functions download a remote JSON configuration and an ELF payload, executing them in memory to avoid leaving disk artifacts.
This attack method mirrors techniques used in past cryptojacking campaigns by groups like FritzFrog and Mimo, focusing on CPU mining while disabling GPU backends.
The campaign directs mining activities to Stratum over TLS endpoints on port 3333, using threat actor-controlled IP addresses for operations.
The Python implant serves as a versatile loader capable of executing arbitrary second-stage code, posing a broader threat beyond cryptomining.
Organizations should review and monitor their use of PyPI packages to prevent similar threats and consider implementing security measures to detect such malicious activities.