Full Report
A new malicious package discovered in the Python Package Index (PyPI) has been found to impersonate a popular library for symbolic mathematics to deploy malicious payloads, including a cryptocurrency miner, on Linux hosts. The package, named sympy-dev, mimics SymPy, replicating the latter's project description verbatim in an attempt to deceive unsuspecting users into thinking that they are
Analysis Summary
# Tool/Technique: sympy-dev Malicious PyPI Package
## Overview
The package `sympy-dev` is a malicious software distribution found on the Python Package Index (PyPI) designed to impersonate the legitimate **SymPy** library. Its primary purpose is to serve as a downloader/loader to compromise Linux hosts and install a cryptocurrency miner, specifically **XMRig**.
## Technical Details
- Type: Malware (Loader/Downloader deploying Cryptominer)
- Platform: Linux hosts
- Capabilities: Package impersonation, remote configuration fetching, downloading ELF payloads, in-memory execution to evade disk artifacts, and deploying CPU-based cryptomining.
- First Seen: January 17, 2026 (Date of first publication)
## MITRE ATT&CK Mapping
- **TA0011 - Command and Control**
- [T1071 - Application Layer Protocol](https://attack.mitre.org/techniques/T1071/)
- **TA0005 - Defense Evasion**
- [T1055 - Process Injection](https://attack.mitre.org/techniques/T1055/) (Via in-memory execution/memfd)
- **TA0002 - Execution**
- [T1204.002 - User Execution: Malicious File](https://attack.mitre.org/techniques/T1204/002/) (Downloading and executing the package)
- **TA0016 - Lateral Movement** (Implied capability for further exploitation if the loader is versatile)
- [T1570 - Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570/) (Implied by the loader functionality)
## Functionality
### Core Capabilities
- **Impersonation:** Mimics the legitimate `SymPy` library, replicating its project description to gain developer trust.
- **Payload Delivery:** Acts as a downloader/loader for secondary malicious components (Linux ELF binaries).
- **Cryptomining:** The ultimate goal is to run the **XMRig** cryptocurrency miner, configured for CPU mining only.
### Advanced Features
- **Evading Detection (Fileless Execution):** The malicious functions retrieve a remote JSON configuration and an ELF payload, then execute the binary directly from an **anonymous memory-backed file descriptor** using Linux interfaces like `memfd_create` and `/proc/self/fd`. This significantly reduces on-disk artifacts.
- **Conditional Triggering:** The malicious behavior is reportedly designed to trigger only when specific polynomial routines within the compromised library are called, aiding in low-and-slow activity.
- **General Purpose Loader:** The initial implant functions as a general-purpose loader capable of fetching and executing *arbitrary* second-stage code under the privileges of the Python process.
## Indicators of Compromise
- File Hashes: *No specific hashes provided in the text.*
- File Names: `sympy-dev` (PyPI package name), Linux ELF binaries (payloads).
- Registry Keys: *Not applicable (Linux).*
- Network Indicators: Threat actor-controlled IP addresses hosting configurations and payloads: `63.250.56[.]54` (defanged). Stratum endpoints for mining use TLS on port **3333** hosted on the same IP addresses.
- Behavioral Indicators: Execution of Python routines triggering remote JSON configuration fetches, downloading ELF files, and observed CPU-intensive processes consistent with XMRig mining. Memory-backed execution via `memfd_create`.
## Associated Threat Actors
- The specific threat actor group is **not explicitly named** in relation to this initial package, but the use of the in-memory execution technique is noted as having been previously adopted by cryptojacking campaigns orchestrated by **FritzFrog** and **Mimo**.
## Detection Methods
- Signature-based detection: Signatures for the specific `sympy-dev` package checksums or its presence in dependency manifests. Signatures targeting known XMRig configurations or communication patterns on port 3333 over TLS.
- Behavioral detection: Monitoring dynamic library loading or execution patterns involving memory-backed file descriptors (`/proc/self/fd`) or calls to `memfd_create`. Detecting abnormal CPU usage by the Python process or subprocesses mining cryptocurrency.
- YARA rules: *Not available in the text.*
## Mitigation Strategies
- Prevention measures: Strict auditing of dependencies installed from public repositories like PyPI, preferring internal repositories or explicitly vetting packages, especially those with unfamiliar naming conventions (e.g., `library-dev` vs `library`). Pinning dependencies to verified source locations.
- Hardening recommendations: Implementing security controls that monitor or restrict the use of system calls associated with fileless execution (`memfd_create`). Isolating application execution environments where possible.
## Related Tools/Techniques
- **Payload:** XMRig (cryptocurrency miner).
- **Technique Precedent:** In-memory execution techniques previously used by **FritzFrog** and **Mimo** malware families.
- **Distribution Vector:** Supply Chain Attack via dependency confusion/typosquatting on PyPI.