“SymPy” Imposter: Typosquatting Attack Turns Math Library into Crypto Miner

A deceptive new supply chain attack has been uncovered in the Python ecosystem, where a malicious package impersonating the popular SymPy mathematics library is turning developers’ machines into unwitting cryptocurrency miners. Socket’s Threat Research Team has flagged the rogue package, sympy-dev, as a dangerous typosquat designed to trick users into downloading it instead of the legitimate tool.

The attack leverages the trust developers place in open-source repositories. “Socket’s Threat Research Team identified a malicious PyPI package, sympy-dev, that impersonates SymPy, a widely used symbolic mathematics library with roughly 85 million downloads per month,” the report states.

The threat actor went to great lengths to make the fake package look authentic. “The threat actor copied SymPy’s project description and branding cues into the sympy-dev listing, increasing the likelihood of accidental installation”.

Using a common naming convention—appending -dev to imply a development version—the attackers successfully lured over 1,000 victims in the first day alone. “Downloads do not equate to infections, but early uptake suggests the package began reaching real developer and CI environments quickly”.

Unlike smash-and-grab attacks, this malware is surprisingly subtle. It doesn’t execute immediately upon installation. Instead, “the malicious code activates when specific polynomial routines run; a quieter approach that blends into normal SymPy usage”.

When a developer uses specific mathematical functions (like groebner basis calculations), the hidden code triggers. “When invoked, the backdoored functions retrieve a remote JSON configuration, download a threat actor-controlled ELF payload, then execute it from an anonymous memory-backed file descriptor”.

This execution technique, utilizing memfd_create, helps the malware evade traditional disk-scanning antivirus software.

The payload itself is less subtle than its delivery method: it’s a cryptominer. “In the samples retrieved during dynamic analysis, the downloaded payloads are XMRig cryptominers, and the configuration directs mining to Stratum endpoints over TLS”.

However, researchers warn that the infrastructure is modular. “We observed XMRig cryptomining in this campaign, but the same execution chain enables arbitrary code execution under the privileges of the Python process”. This means the attackers could easily swap the miner for ransomware or data-stealing tools without changing the package.

The malicious package was published on January 17, 2026, and at the time of the report, it remained live on PyPI. Socket has petitioned for its removal, but the incident serves as a stark reminder of the fragility of the software supply chain.

“Defenders should expect typosquatted packages that embed a staged downloader and in-memory execution to persist and evolve,” the researchers caution. They advise teams to “prioritize dependency pinning and integrity checks” to avoid falling victim to similar ruses in the future.

Related Posts:

• Log4j Campaign Exploited to Deploy XMRig Cryptominer
• Cryptocurrency Malware: The Hidden Threat Lurking on YouTube
• Github launches Python security alerts
• Recruitment Scam Targets Job Seekers with Fake CrowdStrike Branding