Malicious PyPI package impersonates SymPy to deploy XMRig miner

A deceptive package on the PyPI repository has been found impersonating the popular SymPy library. This malicious software targets Linux systems, downloading and executing the XMRig cryptocurrency miner through in-memory techniques. Security researchers have highlighted the risks posed by such supply chain attacks in open-source ecosystems.

The Python Package Index (PyPI), a key repository for Python developers, has become a vector for malware distribution. Researchers at The Hacker News reported the discovery of a fake package named "sympy-dev," designed to mimic the legitimate SymPy mathematical library. Upon installation, this package does not provide the expected functionality but instead initiates a stealthy payload.

Specifically, the malware fetches and runs the XMRig miner, a tool commonly used for Monero cryptocurrency mining, on Linux hosts. It employs in-memory execution methods to evade detection by traditional antivirus software, allowing the miner to operate without writing files to disk. This approach minimizes forensic footprints and complicates removal efforts.

Such incidents underscore vulnerabilities in software supply chains, where developers might unwittingly install compromised dependencies. The SymPy library, widely used for symbolic mathematics in scientific computing, serves as an attractive target due to its popularity. No specific victims or widespread impacts were detailed in the report, but the event serves as a reminder for users to verify package authenticity and monitor for unusual system behavior.

Experts recommend scanning dependencies with tools like pip-audit and keeping libraries updated to mitigate these threats. As open-source platforms grow, vigilance against impersonation tactics remains crucial for maintaining trust in the ecosystem.

Verwandte Artikel

Developer platform Socket has identified a malware known as TrapDoor that is targeting crypto and AI developers.

Von KI berichtet

Seventy-three Microsoft open source packages were compromised late last week with malware that steals credentials from cloud services and developer tools. The malicious code activates when opened in AI coding agents.

Dienstag, 16. Juni 2026, 20:05 Uhr

Arch Linux disables new AUR registrations after malware waves

Samstag, 13. Juni 2026, 16:49 Uhr

Malware infects 1579 packages in Arch Linux AUR

Montag, 11. Mai 2026, 06:22 Uhr

Fake OpenAI repository tops Hugging Face downloads

Freitag, 08. Mai 2026, 19:49 Uhr

Hackers create fake Claude site to spread malware

Dienstag, 05. Mai 2026, 12:10 Uhr

Daemon Tools app hit by monthlong supply-chain attack

Diese Website verwendet Cookies

Wir verwenden Cookies für Analysen, um unsere Website zu verbessern. Lesen Sie unsere Datenschutzrichtlinie für weitere Informationen.
Ablehnen