A malicious PyPI package named sympy-dev impersonating SymPy has been found to deliver a cryptomining payload that downloads and executes ELF binaries on Linux hosts. The backdoored polynomial routines fetch a remote JSON configuration and an ELF payload from a threat-actor server (63.250.56.54) then launch XMRig in memory using memfd_create and /proc/self/fd to avoid disk artifacts. #sympy-dev #XMRig
Keypoints
- sympy-dev impersonates the SymPy library on PyPI and has been downloaded over 1,100 times.
- Backdoored polynomial functions act as a downloader that retrieves a remote JSON config and ELF payload.
- Payloads are executed directly in memory via memfd_create and /proc/self/fd to reduce on-disk traces.
- The campaign deploys XMRig-compatible ELF miners configured for CPU mining and Stratum over TLS on port 3333.
- The Python implant functions as a general-purpose loader able to fetch and run arbitrary second-stage code under the Python process privileges.
Read More: https://thehackernews.com/2026/01/malicious-pypi-package-impersonates.html