A brand new malicious package deal on the Python Package deal Index (PyPI), named sympy-dev, has been caught impersonating the extensively used SymPy library to ship cryptomining malware.
SymPy is a well-liked symbolic arithmetic library that sees tens of tens of millions of downloads each month, making it a horny goal for attackers trying to abuse developer belief and widespread adoption.
By copying SymPy’s branding and undertaking description, the faux package deal aimed to slide into developer workflows with minimal suspicion.
The risk actor printed a number of variations of sympy-dev in fast succession, all containing hidden malicious code.
As soon as added to a undertaking by mistake or by a mistyped command, the package deal might run in developer machines, steady integration pipelines, and manufacturing programs.
This allowed the attacker to hijack computing assets for illicit cryptocurrency mining whereas remaining largely invisible to informal opinions of the code.
Socket.dev analysts first recognized and documented the malicious habits inside sympy-dev after noticing that the package deal carefully mimicked the legit SymPy itemizing.
Facet-by-side PyPI listings distinction the legit sympy package deal (left) with sympy-dev (proper) (Supply – Socket.dev)
Their investigation confirmed how the attacker used typosquatting and lookalike metadata to trick customers into putting in the mistaken package deal.
The researchers additionally famous that the package deal shortly crossed greater than a thousand downloads inside its first day on-line, proving how briskly such threats can unfold as soon as they enter a public registry.
Execution Chain: From Polynomial Math to Cryptomining
Probably the most regarding a part of this marketing campaign lies in how the malware prompts and runs.
As a substitute of triggering on import, the attacker injected a loader into particular polynomial routines contained in the modified SymPy code.
When these math features are known as, the loader quietly contacts distant servers managed by the attacker, fetches a configuration file, after which downloads a separate Linux binary.
Socket.dev researchers recognized that this binary is an XMRig-based cryptominer configured to mine cryptocurrency over encrypted Stratum connections.
To scale back traces on disk, the loader makes use of Linux’s memfd_create system name and executes the payload immediately from reminiscence utilizing the /proc/self/fd path.
This in-memory execution sample helps the malware evade easy file-based scans, whereas nonetheless turning legit algebra operations right into a covert mining operation within the background.
Observe us on Google Information, LinkedIn, and X to Get Extra On the spot Updates, Set CSN as a Most well-liked Supply in Google.
