Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

Malicious PyPI Package Impersonates SymPy, Deploys XMRig Miner on Linux Hosts

The Hacker News by The Hacker News
January 22, 2026
Home Cybersecurity
Share on FacebookShare on Twitter


Ravie LakshmananJan 22, 2026Cryptojacking / Malware

A new malicious package discovered in the Python Package Index (PyPI) has been found to impersonate a popular library for symbolic mathematics to deploy malicious payloads, including a cryptocurrency miner, on Linux hosts.

The package, named sympy-dev, mimics SymPy, replicating the latter’s project description verbatim in an attempt to deceive unsuspecting users into thinking that they are downloading a “development version” of the library. It has been downloaded over 1,100 times since it was first published on January 17, 2026.

Although the download count is not a reliable yardstick for measuring the number of infections, the figure likely suggests some developers may have fallen victim to the malicious campaign. The package remains available for download as of writing.

According to Socket, the original library has been modified to act as a downloader for an XMRig cryptocurrency miner on compromised systems. The malicious behavior is designed to trigger only when specific polynomial routines are called so as to fly under the radar.

Cybersecurity

“When invoked, the backdoored functions retrieve a remote JSON configuration, download a threat actor-controlled ELF payload, then execute it from an anonymous memory-backed file descriptor using Linux memfd_create and /proc/self/fd, which reduces on-disk artifacts,” security researcher Kirill Boychenko said in a Wednesday analysis.

The altered functions are used to execute a downloader, which fetches a remote JSON configuration and an ELF payload from “63.250.56[.]54,” and then launches the ELF binary along with the configuration as input directly in memory to avoid leaving artifacts on disk. This technique has been previously adopted by cryptojacking campaigns orchestrated by FritzFrog and Mimo.

The end goal of the attack is to download two Linux ELF binaries that are designed to mine cryptocurrency using XMRig on Linux hosts.

“Both retrieved configurations use an XMRig compatible schema that enables CPU mining, disables GPU backends, and directs the miner to Stratum over TLS endpoints on port 3333 hosted on the same threat actor-controlled IP addresses,” Socket said.

“Although we observed cryptomining in this campaign, the Python implant functions as a general purpose loader that can fetch and execute arbitrary second stage code under the privileges of the Python process.”



Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
The Hacker News

The Hacker News

Next Post
Long Weekends Are the New Vacations: How Travellers Are Redefining Time Off in 2026

Long Weekends Are the New Vacations: How Travellers Are Redefining Time Off in 2026

Recommended.

Asset manager Janus Henderson gets bought by Trian, General Catalyst for .4 billion

Asset manager Janus Henderson gets bought by Trian, General Catalyst for $7.4 billion

December 22, 2025
TCL predstaví na veľtrhu CES 2026 budúcnosť s pokročilými vizuálnymi inováciami a produktovým portfóliom s podporou AI

TCL predstaví na veľtrhu CES 2026 budúcnosť s pokročilými vizuálnymi inováciami a produktovým portfóliom s podporou AI

December 18, 2025

Trending.

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

May 4, 2026
AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

May 1, 2026
AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

April 30, 2026
Google’s 0 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

Google’s $750 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

April 24, 2026
British Space Startup Launches Longevity Lab Into Orbit

British Space Startup Launches Longevity Lab Into Orbit

July 7, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio