A new malicious package on the Python Package Index (PyPI), named sympy-dev, has been caught impersonating the widely used SymPy library to deliver cryptomining malware.
SymPy is a popular symbolic mathematics library that sees tens of millions of downloads every month, making it an attractive target for attackers looking to abuse developer trust and widespread adoption.
By copying SymPy’s branding and project description, the fake package aimed to slip into developer workflows with minimal suspicion.
The threat actor published several versions of sympy-dev in quick succession, all containing hidden malicious code.
Once added to a project by mistake or through a mistyped command, the package could run in developer machines, continuous integration pipelines, and production systems.
This allowed the attacker to hijack computing resources for illicit cryptocurrency mining while remaining largely invisible to casual reviews of the code.
Socket.dev analysts first identified and documented the malicious behavior inside sympy-dev after noticing that the package closely mimicked the legitimate SymPy listing.
%20with%20sympy-dev%20(right)%20(Source%20-%20Socket.dev).webp "Malicious PyPI Package Mimic as Popular Sympy-Dev to Attack Millions of Users 3")
Their investigation showed how the attacker used typosquatting and lookalike metadata to trick users into installing the wrong package.
The researchers also noted that the package quickly crossed more than a thousand downloads within its first day online, proving how fast such threats can spread once they enter a public registry.
Execution Chain: From Polynomial Math to Cryptomining
The most concerning part of this campaign lies in how the malware activates and runs.
Instead of triggering on import, the attacker injected a loader into specific polynomial routines inside the modified SymPy code.
When those math functions are called, the loader quietly contacts remote servers controlled by the attacker, fetches a configuration file, and then downloads a separate Linux binary.
Socket.dev researchers identified that this binary is an XMRig-based cryptominer configured to mine cryptocurrency over encrypted Stratum connections.
To reduce traces on disk, the loader uses Linux’s memfd_create system call and executes the payload directly from memory using the /proc/self/fd path.
This in-memory execution pattern helps the malware evade simple file-based scans, while still turning legitimate algebra operations into a covert mining operation in the background.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
