- sympy-dev on PyPI impersonated the SymPy library and has been downloaded over 1,100 times since its January 17, 2026 release.
- The package modifies library routines to fetch a remote JSON, download an ELF payload, and execute it in memory to run an XMRig cryptocurrency miner on Linux hosts.
- The malicious loader triggers only when specific polynomial functions are called and can execute arbitrary second-stage code under the Python process privileges.
A malicious Python package named sympy-dev on PyPI, published January 17, 2026, imitates the description of the legitimate SymPy project to lure users. The package has recorded more than 1,100 downloads and remains available at its PyPI page (https://pypi.org/project/sympy-dev/).
Analysis by Malware“>Socket shows the backdoored code alters certain polynomial routines to act as a downloader for a Linux ELF payload and configuration. The modified functions fetch a remote JSON configuration, download an ELF binary from the actor-controlled host 63.250.56[.]54, and execute the binary directly from memory using Linux memfd_create and /proc/self/fd to limit on-disk traces.
Security researcher Kirill Boychenko described the behavior in a Wednesday analysis: “When invoked, the backdoored functions retrieve a remote JSON configuration, download a threat actor-controlled ELF payload, then execute it from an anonymous memory-backed file descriptor using Linux memfd_create and /proc/self/fd, which reduces on-disk artifacts.”
The downloaded components include two ELF binaries that implement an XMRig-compatible mining setup. Socket noted that the configurations “use an XMRig compatible schema that enables CPU mining, disables GPU backends, and directs the miner to Stratum over TLS endpoints on port 3333 hosted on the same threat actor-controlled IP addresses.” “Although we observed cryptomining in this campaign, the Python implant functions as a general purpose loader that can fetch and execute arbitrary second stage code under the privileges of the Python process.”
The memory-only execution technique mirrors methods previously used by campaigns such as FritzFrog and Mimo. The package’s downloader behavior means affected Python processes may run additional payloads without writing them to disk.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Solana Falls From $200 to Below $130 — Rebound Hopes in 2026
- Ruble-backed A7A5 stablecoin surpasses $100B amid sanctions.
- China EVs Shift to Seven-Year Loans to Avoid Price Wars Push
- BPI Fedi and Cornell Launch Two-Year Financial Privacy Study
- Best Crypto Audiobooks of 2026: The Ultimate Listen & Learn Guide
