Sympy-dev malicious PyPI package delivers XMRig payloads on Linux
Malware Activity
Summary
Hide ▲
Show ▼
The malicious sympy-dev package on PyPI impersonates SymPy and delivers a downloader that can fetch and execute XMRig-related payloads on Linux hosts, creating cryptomining and post-install compromise risk. The package copied the legitimate project description and was downloaded over 1,100 times after publication on January 17, 2026, suggesting some users may have been exposed. Its malicious functions activate only when specific polynomial routines are called, helping the code stay hidden. The execution chain uses memfd_create and /proc/self/fd to run payloads in memory and reduce on-disk artifacts.
Related Happenings
ZiChatBot PyPI supply-chain malware delivery
Malware Activity
First: 07.05.2026 12:20
Last: 07.05.2026 12:20
Sources 1
About this happening:
A **PyPI supply-chain attack** used **three packages** to quietly deliver **ZiChatBot**, creating a cross-platform malware risk for **Windows and Linux** installs. The packages we...
ZiChatBot PyPI supply-chain malware delivery
Malware ActivityAbout this happening: A **PyPI supply-chain attack** used **three packages** to quietly deliver **ZiChatBot**, creating a cross-platform malware risk for **Windows and Linux** installs. The packages we...
PyTorch Lightning hit by network compromise
Incident
First: 04.05.2026 20:15
Last: 04.05.2026 20:15
Sources 1
About this happening:
A **malicious PyTorch Lightning release** on **PyPI** created a supply-chain compromise that can steal credentials as soon as the package is imported. The backdoored **version 2.6...
PyTorch Lightning hit by network compromise
IncidentAbout this happening: A **malicious PyTorch Lightning release** on **PyPI** created a supply-chain compromise that can steal credentials as soon as the package is imported. The backdoored **version 2.6...
Lightning PyPI router_runtime.js credential-stealing payload
Malware Activity
First: 30.04.2026 19:31
Last: 30.04.2026 19:31
Sources 1
About this happening:
The **Lightning** PyPI package was pushed in **malicious versions 2.6.2 and 2.6.3** on **April 30, 2026**, turning a normal install into **credential theft** for **developer and C...
Lightning PyPI router_runtime.js credential-stealing payload
Malware ActivityAbout this happening: The **Lightning** PyPI package was pushed in **malicious versions 2.6.2 and 2.6.3** on **April 30, 2026**, turning a normal install into **credential theft** for **developer and C...
Latest development: 04.05.2026 20:15
Microsoft Threat Intelligence says Defender detected and prevented the malicious `lightning==2.6.3` routine in customer environments, notified the Lightning maintainer, and warned that users who ran `import lightning` may need to rotate exposed secrets, keys, and tokens.
Plain-crypto-js remote-access Trojan delivery
Malware Activity
First: 31.03.2026 23:55
Last: 31.03.2026 23:55
Sources 1
About this happening:
The malicious **plain-crypto-js** dependency delivered a **remote-access Trojan (RAT)** that can run on **Windows, Linux, and Mac**, extending the open-source supply-chain comprom...
Plain-crypto-js remote-access Trojan delivery
Malware ActivityAbout this happening: The malicious **plain-crypto-js** dependency delivered a **remote-access Trojan (RAT)** that can run on **Windows, Linux, and Mac**, extending the open-source supply-chain comprom...
Latest development: 04.04.2026 23:30
Google Threat Intelligence Group linked the Axios npm compromise to UNC1069, a financially motivated North Korea-nexus threat actor, based on the use of WAVESHAPER.V2 and overlaps with infrastructure artifacts used by UNC1069 in past activity. The Axios maintainers also wiped affected systems, reset all credentials, and are implementing changes to prevent similar incidents.
Telnyx Python package hit by data theft breach
Incident
First: 27.03.2026 18:53
Last: 27.03.2026 18:53
Sources 1
About this happening:
The **telnyx** Python package was **compromised on PyPI** with **4.87.1** and **4.87.2**, exposing downstream importers to **credential theft** and **data exfiltration**. The mali...
Telnyx Python package hit by data theft breach
IncidentAbout this happening: The **telnyx** Python package was **compromised on PyPI** with **4.87.1** and **4.87.2**, exposing downstream importers to **credential theft** and **data exfiltration**. The mali...
Timeline
-
22.01.2026 12:04 1 articles · 4mo ago
sympy-dev published on PyPI as a SymPy impersonator
Campaign Scope UpdateThe malicious sympy-dev package was first published on PyPI on January 17, 2026, after copying SymPy's project description verbatim to pose as a development version of the library. The package targeted Linux hosts and established the distribution point for a downloader that later fetched XMRig-related payloads.
Show sources
- Malicious PyPI Package Impersonates SymPy, Deploys XMRig Miner on Linux Hosts — thehackernews.com — 22.01.2026 12:04
-
22.01.2026 12:04 2 articles · 4mo ago
Security analysis details sympy-dev downloader behavior
Initial DisclosureSecurity analysis identified sympy-dev as a malicious PyPI package that impersonates SymPy, triggers only when specific polynomial routines are called, and acts as a downloader for an XMRig cryptocurrency miner on compromised Linux hosts. The backdoored functions retrieve a remote JSON configuration, download a threat actor-controlled ELF payload from 63.250.56[.]54, and execute it in memory with Linux memfd_create and /proc/self/fd to reduce on-disk artifacts; the retrieved configurations use an XMRig-compatible schema that enables CPU mining, disables GPU backends, and points the miner to Stratum over TLS on port 3333.
Show sources
- Malicious PyPI Package Impersonates SymPy, Deploys XMRig Miner on Linux Hosts — thehackernews.com — 22.01.2026 12:04
- Malicious PyPI Package Impersonates SymPy, Deploys XMRig Miner on Linux Hosts — thehackernews.com — 22.01.2026 12:04