BTC $71,807
2026 Bull Run Is Building Start trading with 5% OFF all fees
Sign Up Now
BTC $71,807
Bull Run 2026 | 5% Off Fees Open your Binance account today
Sign Up

PyPI ‘sympy-dev’ package deploys XMRig miner via backdoor…

  • sympy-dev on PyPI impersonated the SymPy library and has been downloaded over 1,100 times since its January 17, 2026 release.
  • The package modifies library routines to fetch a remote JSON, download an ELF payload, and execute it in memory to run an XMRig cryptocurrency miner on Linux hosts.
  • The malicious loader triggers only when specific polynomial functions are called and can execute arbitrary second-stage code under the Python process privileges.

A malicious Python package named sympy-dev on PyPI, published January 17, 2026, imitates the description of the legitimate SymPy project to lure users. The package has recorded more than 1,100 downloads and remains available at its PyPI page (https://pypi.org/project/sympy-dev/).

- Advertisement -

Analysis by Malware“>Socket shows the backdoored code alters certain polynomial routines to act as a downloader for a Linux ELF payload and configuration. The modified functions fetch a remote JSON configuration, download an ELF binary from the actor-controlled host 63.250.56[.]54, and execute the binary directly from memory using Linux memfd_create and /proc/self/fd to limit on-disk traces.

Security researcher Kirill Boychenko described the behavior in a Wednesday analysis: “When invoked, the backdoored functions retrieve a remote JSON configuration, download a threat actor-controlled ELF payload, then execute it from an anonymous memory-backed file descriptor using Linux memfd_create and /proc/self/fd, which reduces on-disk artifacts.”

The downloaded components include two ELF binaries that implement an XMRig-compatible mining setup. Socket noted that the configurations “use an XMRig compatible schema that enables CPU mining, disables GPU backends, and directs the miner to Stratum over TLS endpoints on port 3333 hosted on the same threat actor-controlled IP addresses.” “Although we observed cryptomining in this campaign, the Python implant functions as a general purpose loader that can fetch and execute arbitrary second stage code under the privileges of the Python process.”

The memory-only execution technique mirrors methods previously used by campaigns such as FritzFrog and Mimo. The package’s downloader behavior means affected Python processes may run additional payloads without writing them to disk.

- Advertisement -

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -
Ad
Altseason Is Loading. Don't watch from the sidelines.
SOL $90.51
DOGE $0.0963
LINK $9.02
SUI $1.00
5% off fees when you sign up
Start Trading
Ad
Pay Less on Every Trade. For Life.
$10K/mo volume Save $60/yr
$50K/mo volume Save $300/yr
$100K/mo volume Save $600/yr
5% off all trading fees when you sign up
Claim Your Discount

Latest News

Coinbase CLO Paul Grewal steps down, names successors

Coinbase Chief Legal Officer Paul Grewal will step down on July 31 and move...

npm 12 disables install scripts, phases out 2FA bypass tokens

GitHub released npm version 12 with install scripts disabled by default, making previously automatic...

Ethereum Foundation deploys AI agents to hunt for network bugs

Ethereum Foundation researchers deployed AI agents to red-team critical network infrastructure, uncovering real bugs.The...

Ethereum May Be Forming Short-Term Bottom, Says Ex-BofA Strategist

Ethereum may be forming a short-term bottom, according to a chart shared by Tom...

Tesla BTC stash plunges 66% despite Bitcoin’s 30% rally

Tesla's Bitcoin holdings have lost two-thirds of their value despite the cryptocurrency appreciating more...

Must Read

10 BEST Companies to Buy Hosting With Bitcoin And Crypto

If you are looking to buy hosting with bitcoin or cryptocurrency then you've come to the right place.I've done the research for you...
Ad
Altseason Is Loading. These 4 coins are trending right now.
SOL $92.12
DOGE $0.0950
LINK $9.02
SUI $1.02
5% off spot fees when you sign up
Start Trading