PyPI Package Impersonates SymPy to Deliver Cryptomining Malware

A malicious PyPI package named sympy-dev, impersonating the legitimate SymPy library, was discovered by Socket's Threat Research Team, posing a significant supply chain risk by successfully tricking developers into its installation. This package, with versions from 1.2.3 to 1.2.6, included malicious code and was quickly downloaded over 1,000 times, indicating its penetration into developer and CI environments. The injected code in sympy-dev leverages specific polynomial functions to clandestinely download and execute XMRig cryptominer payloads from remote command and control (C2) servers using a Linux-specific in-memory execution method, thus minimizing disk artifacts. Despite efforts to remove the package from PyPI, it remains active, prompting security experts to emphasize the importance of dependency management, integrity checks, and the use of tools like Socket's GitHub App and CLI to mitigate risks associated with such typosquatting attacks. These attacks exploit familiar package names and branding to infiltrate systems, with sympy-dev demonstrating how a seemingly innocuous package can serve as a conduit for cryptomining and potentially other malicious activities.