Malware, DevOps, Supply chain

Malicious Python package on PyPI deploys cryptocurrency miner

As reported by The Hacker News, a new malicious package discovered in the Python Package Index (PyPI) has been found to impersonate a popular library for symbolic mathematics to deploy malicious payloads, including a cryptocurrency miner, on Linux hosts.

The package, named sympy-dev, mimics SymPy, replicating its project description to deceive users. It has been downloaded over 1,100 times since January 17, 2026. The modified library acts as a downloader for an XMRig cryptocurrency miner. The malicious behavior is triggered only when specific polynomial routines are called. The backdoored functions retrieve a remote JSON configuration and download an ELF payload, executing it from memory using Linux memfd_create and /proc/self/fd to reduce on-disk artifacts. The end goal is to mine cryptocurrency using XMRig on Linux hosts, with configurations enabling CPU mining and disabling GPU backends.

The technique of using memory-backed file descriptors to execute payloads is a sophisticated method to evade detection. While this campaign focused on cryptojacking, the underlying Python implant functions as a general-purpose loader, capable of fetching and executing arbitrary code, posing a broader risk to developers and organizations relying on third-party libraries. Developers should exercise extreme caution when installing packages, verifying their authenticity and source.

Source: The Hacker News

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Adware

You can skip this ad in 5 seconds