As reported by The Hacker News, a new malicious package discovered in the Python Package Index (PyPI) has been found to impersonate a popular library for symbolic mathematics to deploy malicious payloads, including a cryptocurrency miner, on Linux hosts.The package, named sympy-dev, mimics SymPy, replicating its project description to deceive users. It has been downloaded over 1,100 times since January 17, 2026. The modified library acts as a downloader for an XMRig cryptocurrency miner. The malicious behavior is triggered only when specific polynomial routines are called. The backdoored functions retrieve a remote JSON configuration and download an ELF payload, executing it from memory using Linux memfd_create and /proc/self/fd to reduce on-disk artifacts. The end goal is to mine cryptocurrency using XMRig on Linux hosts, with configurations enabling CPU mining and disabling GPU backends.The technique of using memory-backed file descriptors to execute payloads is a sophisticated method to evade detection. While this campaign focused on cryptojacking, the underlying Python implant functions as a general-purpose loader, capable of fetching and executing arbitrary code, posing a broader risk to developers and organizations relying on third-party libraries. Developers should exercise extreme caution when installing packages, verifying their authenticity and source.Source: The Hacker News
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
Related Terms
AdwareYou can skip this ad in 5 seconds



