Malicious PyPI Package Impersonates SymPy, Deploys Miner
🔍 A malicious PyPI package named sympy-dev was found impersonating SymPy, copying the legitimate project's description to trick users; it has been downloaded over 1,100 times since its January 17, 2026 publication. Socket's analysis shows select symbolic-math routines were modified to retrieve a remote JSON configuration and download an ELF payload that launches an XMRig miner. The backdoor executes the ELF binary directly in memory via memfd_create and /proc/self/fd to reduce on-disk artifacts and only triggers when specific polynomial functions are invoked to remain stealthy.
