Malicious PyPI Package Impersonates SymPy, Deploys XMRig Miner on Linux Hosts

Malicious PyPI Package Impersonates SymPy, Deploys XMRig Miner on Linux Hosts
嗯，用户让我帮忙总结一篇文章，控制在100字以内，而且不需要特定的开头。首先，我需要仔细阅读文章内容，抓住主要信息。文章讲的是PyPI上发现了一个恶意包sympy-dev，它模仿了SymPy库。这个包下载量超过1100次，被用来传播恶意软件，包括加密货币矿工。攻击者利用特定的多项式函数触发恶意行为，下载配置文件和ELFpayload，在内存中执行以避免留下痕迹。接下来，我需要将这些信息浓缩到100字以内。重点包括：恶意包名称、模仿的库、下载次数、目的（传播矿工）、触发机制、执行方式以及影响。可能会漏掉一些细节，比如具体的端口或IP地址，但这些不是核心内容。确保总结清晰明了，涵盖所有关键点。最后，检查字数是否符合要求，并确保语言简洁准确。 </think> PyPI上发现名为sympy-dev的恶意包伪装成SymPy库的开发版本，下载量超1100次。该包通过特定多项式函数触发恶意行为，下载配置文件和ELFpayload，在内存中执行以避免留下痕迹。最终目标是在Linux主机上部署XMRig加密货币矿工。 2026-1-22 10:4:0 Author: thehackernews.com(查看原文) 阅读量:1 收藏

A new malicious package discovered in the Python Package Index (PyPI) has been found to impersonate a popular library for symbolic mathematics to deploy malicious payloads, including a cryptocurrency miner, on Linux hosts.

The package, named sympy-dev, mimics SymPy, replicating the latter's project description verbatim in an attempt to deceive unsuspecting users into thinking that they are downloading a "development version" of the library. It has been downloaded over 1,100 times since it was first published on January 17, 2026.

Although the download count is not a reliable yardstick for measuring the number of infections, the figure likely suggests some developers may have fallen victim to the malicious campaign. The package remains available for download as of writing.

According to Socket, the original library has been modified to act as a downloader for an XMRig cryptocurrency miner on compromised systems. The malicious behavior is designed to trigger only when specific polynomial routines are called so as to fly under the radar.

"When invoked, the backdoored functions retrieve a remote JSON configuration, download a threat actor-controlled ELF payload, then execute it from an anonymous memory-backed file descriptor using Linux memfd_create and /proc/self/fd, which reduces on-disk artifacts," security researcher Kirill Boychenko said in a Wednesday analysis.

The altered functions are used to execute a downloader, which fetches a remote JSON configuration and an ELF payload from "63.250.56[.]54," and then launches the ELF binary along with the configuration as input directly in memory to avoid leaving artifacts on disk. This technique has been previously adopted by cryptojacking campaigns orchestrated by FritzFrog and Mimo.

The end goal of the attack is to download two Linux ELF binaries that are designed to mine cryptocurrency using XMRig on Linux hosts.

"Both retrieved configurations use an XMRig compatible schema that enables CPU mining, disables GPU backends, and directs the miner to Stratum over TLS endpoints on port 3333 hosted on the same threat actor-controlled IP addresses," Socket said.

"Although we observed cryptomining in this campaign, the Python implant functions as a general purpose loader that can fetch and execute arbitrary second stage code under the privileges of the Python process."

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

文章来源: https://thehackernews.com/2026/01/malicious-pypi-package-impersonates.html
如有侵权请联系:admin#unsafe.sh