The Math Malware: How “sympy-dev” Hijacked PyPI to Mine Crypto

A malicious software package masquerading as a ubiquitous library for symbolic mathematics has been identified within the official PyPI repository. Orchestrators of this campaign meticulously replicated the description of the legitimate project to present their malware as a developmental “dev” version, thereby deceiving Python developers. Beneath this artifice lies a calculated attempt to compromise systems with a payload that subsequently initiates a cryptocurrency miner on Linux environments.

The package, christened sympy-dev, was disseminated on January 17 and has since garnered in excess of 1,100 downloads, suggesting that the contagion may have already infiltrated numerous production environments. At the time of this disclosure, the package remains accessible for installation. By co-opting the nomenclature and documentation of the SymPy library, the malware successfully subverts the original project to cultivate a false sense of security among practitioners.

Forensic analysis conducted by Socket revealed that the library functions as a clandestine loader for the XMRig miner. Crucially, the embedded malicious logic is triggered only upon the invocation of specific polynomial functions, a sophisticated evasion tactic designed to elude detection during superficial code reviews.

These subverted functions establish communication with a remote command-and-control server to retrieve a JSON configuration file and an ELF executable. The binary is subsequently executed directly from volatile memory utilizing the memfd_create and /proc/self/fd mechanisms—a “fileless” execution strategy that leaves no forensic artifacts on the physical disk. This methodology mirrors tactics observed in previous cryptojacking campaigns, such as those attributed to FritzFrog and Mimo.

The primary objective of the malicious code is the deployment of dual ELF binaries optimized for CPU-based mining via the Stratum protocol on port 3333, explicitly eschewing GPU resources to focus entirely on central processing unit exploitation. Security specialists emphasize that this component is not merely a miner but a versatile vehicle for executing arbitrary code, potentially facilitating further escalations under the auspices of the compromised Python process.