Malicious PyPI Package ‘sympy-dev’ Deploys XMRig Miner on Linux Systems
A recent discovery in the Python Package Index (PyPI) has unveiled a malicious package named ‘sympy-dev’ that impersonates the legitimate SymPy library to deploy cryptocurrency mining malware on Linux systems. This package has been downloaded over 1,100 times since its initial release on January 17, 2026.
Deceptive Tactics and Distribution
The ‘sympy-dev’ package mirrors the official SymPy library’s project description, misleading developers into believing they are installing a development version of the genuine library. This form of impersonation is a common tactic in supply chain attacks, where malicious actors exploit the trust associated with popular libraries to distribute malware.
Mechanism of the Attack
Upon installation, ‘sympy-dev’ modifies specific polynomial functions within the library. When these functions are executed, they initiate a sequence that downloads a remote JSON configuration and an ELF (Executable and Linkable Format) payload from the IP address 63.250.56[.]54. This payload is then executed directly in memory using Linux’s ‘memfd_create’ and ‘/proc/self/fd’ mechanisms, effectively avoiding detection by leaving minimal traces on the disk.
Deployment of XMRig Miner
The primary objective of this attack is to deploy the XMRig cryptocurrency miner on compromised Linux hosts. The downloaded configurations are compatible with XMRig, enabling CPU mining while disabling GPU backends. The miner connects to Stratum over TLS endpoints on port 3333, hosted on the same threat actor-controlled IP addresses.
Implications and Broader Context
This incident underscores the persistent threat posed by malicious packages in open-source repositories. By exploiting the trust and widespread use of legitimate libraries, attackers can infiltrate systems and execute unauthorized operations, such as cryptojacking. This technique has been observed in previous campaigns, including those orchestrated by FritzFrog and Mimo, which utilized similar in-memory execution methods to deploy cryptocurrency miners.
Recommendations for Developers
To mitigate the risks associated with such attacks, developers are advised to:
– Verify Package Authenticity: Always confirm the legitimacy of packages by checking the official repository and cross-referencing with trusted sources.
– Monitor for Suspicious Activity: Implement monitoring tools to detect unusual behavior, such as unexpected network connections or high CPU usage, which may indicate malicious activity.
– Stay Informed: Keep abreast of security advisories and updates from reputable cybersecurity organizations to be aware of emerging threats.
Conclusion
The discovery of the ‘sympy-dev’ package highlights the critical need for vigilance in the open-source community. By adopting proactive security measures and fostering a culture of caution, developers can help safeguard their systems against the evolving landscape of supply chain attacks.
