A newly identified malicious package hosted on the Python Package Index (PyPI) has been caught impersonating the widely used SymPy library to deploy harmful payloads on Linux machines. The campaign highlights the growing risk of supply chain attacks targeting developers through trusted open source repositories.
Fake Development Package Targets Python Users
The malicious package, named sympy-dev, was designed to closely imitate the legitimate SymPy library, which is commonly used for symbolic mathematics in Python. To increase credibility, the attackers copied the official SymPy project description word for word, making it appear as if the package were an authentic development version.
Since its publication on January 17, 2026, the package has been downloaded more than 1,100 times. While download numbers do not directly equate to successful infections, the figure suggests that multiple developers may have unknowingly installed the malicious package. At the time of reporting, the package is still available on PyPI.
Hidden Cryptominer Payload on Linux Hosts
Security researchers at Socket revealed that the fake package contains a modified version of the original library that functions as a downloader for an XMRig cryptocurrency miner. The malicious logic is carefully embedded to avoid immediate detection.
The altered behavior is triggered only when specific polynomial related routines are executed. This selective activation helps the malware remain dormant during casual use, reducing the likelihood of raising suspicion during testing or routine development work.
Fileless Execution Using Linux Memory Techniques
According to security researcher Kirill Boychenko, once the malicious functions are invoked, they retrieve a remote JSON configuration file and download an ELF payload controlled by the threat actor. The payload is then executed directly from memory using Linux features such as memfd_create and /proc/self/fd.
This fileless execution method significantly reduces on disk artifacts, making detection and forensic analysis more difficult. Similar techniques have previously been observed in cryptojacking campaigns associated with FritzFrog and Mimo.
Infrastructure and Mining Configuration
The downloader retrieves both the configuration file and the ELF payload from the IP address 63.250.56[.]54. Once executed, the payload launches an XMRig based miner directly in memory, passing the configuration as input.
Socket noted that the retrieved configurations follow an XMRig compatible schema. CPU based mining is enabled, GPU backends are disabled, and mining traffic is directed to Stratum over TLS endpoints operating on port 3333. These endpoints are hosted on infrastructure controlled by the attackers.
Broader Risk Beyond Cryptomining
While the observed campaign focuses on cryptomining, researchers warn that the Python implant is not limited to this single purpose. The loader is capable of downloading and executing arbitrary second stage payloads under the same privileges as the running Python process.
This means affected systems could potentially be repurposed for data theft, lateral movement, or deployment of more destructive malware in future stages.
Security Implications for Developers
The incident underscores the importance of carefully verifying package names, maintainers, and sources before installation, especially when dealing with similarly named libraries. Developers and organizations are advised to audit their environments for the presence of the sympy-dev package and remove it immediately if found.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
