A deceptive new supply chain attack has been uncovered in the Python ecosystem, where a malicious package impersonating the SymPy mathematics library is turning developers’ machines into unwitting cryptocurrency miners. Socket’s Threat Research Team flagged the rogue package, sympy-dev, as a dangerous typosquat designed to trick users into downloading it instead of the legitimate tool, and according to Socket’s Threat Research Team, SymPy has roughly 85 million downloads per month.
The threat actor copied SymPy’s project description and branding cues into the sympy-dev listing to increase the likelihood of accidental installation, and the attackers lured over 1,000 victims in the first day alone. The malware activates not immediately but when specific polynomial routines run, and when invoked, backdoored functions retrieve a remote JSON configuration, download a threat actor-controlled ELF payload, then execute it from an anonymous memory-backed file descriptor using memfd_create.
The payload is a cryptominer—in the samples, XMRig cryptominers—mining to Stratum endpoints over TLS, with the infrastructure described as modular enough to support other tools such as ransomware or data‑stealing software in the same execution chain. The malicious package was published on 17 January 2026 and remained live on PyPI at the time of the report; defenders are urged to prioritise dependency pinning and integrity checks to avoid similar ruses in the future.