Malicious PyPI Package sympy-dev Deploys XMRig Miner on Linux Hosts

First reported

22.01.2026 12:04

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

A malicious Python Package Index (PyPI) package named sympy-dev impersonates the legitimate SymPy library to deploy an XMRig cryptocurrency miner on Linux hosts. The package, which has been downloaded over 1,100 times since its publication on January 17, 2026, includes backdoored functions that trigger only when specific polynomial routines are called. The malicious payload is fetched from a remote server and executed in memory to avoid leaving disk artifacts. The campaign has been linked to techniques previously used by cryptojacking groups like FritzFrog and Mimo. The package remains available for download as of the report's publication.

Timeline

22.01.2026 12:04 1 articles · 23h ago

Malicious PyPI Package sympy-dev Deploys XMRig Miner on Linux Hosts
A malicious Python Package Index (PyPI) package named sympy-dev impersonates the legitimate SymPy library to deploy an XMRig cryptocurrency miner on Linux hosts. The package, which has been downloaded over 1,100 times since its publication on January 17, 2026, includes backdoored functions that trigger only when specific polynomial routines are called. The malicious payload is fetched from a remote server and executed in memory to avoid leaving disk artifacts. The campaign has been linked to techniques previously used by cryptojacking groups like FritzFrog and Mimo.
Show sources

Malicious PyPI Package Impersonates SymPy, Deploys XMRig Miner on Linux Hosts — thehackernews.com — 22.01.2026 12:04
Open in new tab

Information Snippets

The malicious package sympy-dev mimics the legitimate SymPy library, using its project description to deceive users.
First reported: 22.01.2026 12:04

1 source, 1 article
Show sources
- Malicious PyPI Package Impersonates SymPy, Deploys XMRig Miner on Linux Hosts — thehackernews.com — 22.01.2026 12:04
The package has been downloaded over 1,100 times since its publication on January 17, 2026.
First reported: 22.01.2026 12:04

1 source, 1 article
Show sources
- Malicious PyPI Package Impersonates SymPy, Deploys XMRig Miner on Linux Hosts — thehackernews.com — 22.01.2026 12:04
The package includes backdoored functions that trigger only when specific polynomial routines are called.
First reported: 22.01.2026 12:04

1 source, 1 article
Show sources
- Malicious PyPI Package Impersonates SymPy, Deploys XMRig Miner on Linux Hosts — thehackernews.com — 22.01.2026 12:04
The malicious payload is fetched from a remote server at IP address 63.250.56[.]54.
First reported: 22.01.2026 12:04

1 source, 1 article
Show sources
- Malicious PyPI Package Impersonates SymPy, Deploys XMRig Miner on Linux Hosts — thehackernews.com — 22.01.2026 12:04
The payload is executed in memory using Linux memfd_create and /proc/self/fd to avoid leaving disk artifacts.
First reported: 22.01.2026 12:04

1 source, 1 article
Show sources
- Malicious PyPI Package Impersonates SymPy, Deploys XMRig Miner on Linux Hosts — thehackernews.com — 22.01.2026 12:04
The campaign deploys two Linux ELF binaries designed to mine cryptocurrency using XMRig.
First reported: 22.01.2026 12:04

1 source, 1 article
Show sources
- Malicious PyPI Package Impersonates SymPy, Deploys XMRig Miner on Linux Hosts — thehackernews.com — 22.01.2026 12:04
The Python implant functions as a general-purpose loader capable of fetching and executing arbitrary second-stage code.
First reported: 22.01.2026 12:04

1 source, 1 article
Show sources
- Malicious PyPI Package Impersonates SymPy, Deploys XMRig Miner on Linux Hosts — thehackernews.com — 22.01.2026 12:04