Ravie LakshmananJan 22, 2026Cryptojacking / Malware
A brand new malicious package deal found within the Python Package deal Index (PyPI) has been discovered to impersonate a well-liked library for symbolic arithmetic to deploy malicious payloads, together with a cryptocurrency miner, on Linux hosts.
The package deal, named sympy-dev, mimics SymPy, replicating the latter’s mission description verbatim in an try to deceive unsuspecting customers into pondering that they’re downloading a “improvement model” of the library. It has been downloaded over 1,100 occasions because it was first printed on January 17, 2026.
Though the obtain rely shouldn’t be a dependable yardstick for measuring the variety of infections, the determine probably suggests some builders could have fallen sufferer to the malicious marketing campaign. The package deal stays out there for obtain as of writing.
In accordance with Socket, the unique library has been modified to behave as a downloader for an XMRig cryptocurrency miner on compromised programs. The malicious conduct is designed to set off solely when particular polynomial routines are known as in order to fly beneath the radar.
“When invoked, the backdoored features retrieve a distant JSON configuration, obtain a risk actor-controlled ELF payload, then execute it from an nameless memory-backed file descriptor utilizing Linux memfd_create and /proc/self/fd, which reduces on-disk artifacts,” safety researcher Kirill Boychenko stated in a Wednesday evaluation.
The altered features are used to execute a downloader, which fetches a distant JSON configuration and an ELF payload from “63.250.56[.]54,” after which launches the ELF binary together with the configuration as enter instantly in reminiscence to keep away from leaving artifacts on disk. This method has been beforehand adopted by cryptojacking campaigns orchestrated by FritzFrog and Mimo.
The tip aim of the assault is to obtain two Linux ELF binaries which might be designed to mine cryptocurrency utilizing XMRig on Linux hosts.
“Each retrieved configurations use an XMRig appropriate schema that allows CPU mining, disables GPU backends, and directs the miner to Stratum over TLS endpoints on port 3333 hosted on the identical risk actor-controlled IP addresses,” Socket stated.
“Though we noticed cryptomining on this marketing campaign, the Python implant features as a normal objective loader that may fetch and execute arbitrary second stage code beneath the privileges of the Python course of.”
