""When invoked, the backdoored functions retrieve a remote JSON configuration, download a threat actor-controlled ELF payload, then execute it from an anonymous memory-backed file descriptor using Linux memfd_create and /proc/self/fd, which reduces on-disk artifacts," security researcher Kirill Boychenko said in a Wednesday analysis. The altered functions are used to execute a downloader, which fetches a remote JSON configuration and an ELF payload from "63.250.56[.]54," and then launches the ELF binary along with the configuration as input directly in memory to avoid leaving artifacts on disk."
""The package, named , mimics SymPy, replicating the latter's project description verbatim in an attempt to deceive unsuspecting users into thinking that they are downloading a "development version" of the library. It has been downloaded over 1,100 times since it was first published on January 17, 2026. Although the download count is not a reliable yardstick for measuring the number of infections, the figure likely suggests some developers may have fallen victim to the malicious campaign. The package remains available for download as of writing.""
A malicious PyPI package impersonating SymPy was published on January 17, 2026 and has been downloaded over 1,100 times. The package duplicates SymPy's project description and claims to be a development version to deceive users. Specific polynomial routines were modified to act as backdoors that trigger only when those functions are called. The backdoors retrieve a remote JSON configuration, download an ELF payload and execute it directly in memory using memfd_create and /proc/self/fd to reduce on-disk artifacts. Retrieved payloads come from 63.250.56[.]54 and aim to deploy XMRig-compatible miners on Linux hosts.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]