Feed
HighPublished 17 Jan 20261 package · 4 versions

sympy-dev PyPI typosquat delivering XMRig cryptominer

Summary

A PyPI typosquat of SymPy was published by the account "Nanit" across four versions on Jan 17, 2026. It fetches a remote JSON config, downloads an ELF, and executes it from a memfd to evade disk-based detection. The payload is XMRig mining Monero on infected developer workstations.

typosquatobfuscationcryptominer
Detected by
Socket
Ecosystems
PyPI
Packages tracked
1

What happened

On January 17, 2026 a PyPI publisher operating as Nanit pushed four versions of sympy-dev (1.2.3 through 1.2.6), a typosquat of the real sympy symbolic-math library. The package was advertised as a development snapshot and reached PyPI's normal search results before Socket flagged it.

The loader fetches a remote JSON config, pulls down a Linux ELF binary, and executes it via memfd_create so the payload never touches disk. The binary is XMRig, a Monero cryptominer, configured to mine to wallets controlled by the publisher.

Resource theft is the headline impact, but the technique — in-memory ELF execution to defeat file-based EDR — is the more useful indicator for defenders. CI runners that resolved the typosquat will show unexplained outbound traffic to 63.250.56.54 and 185.167.99.46, plus memfd: entries in /proc/*/maps on Linux. The real package is sympy (no suffix); audit requirements.txt and pyproject.toml for sympy-dev anywhere.

Affected packages (1)

  • PyPIsympy-dev
    1.2.31.2.41.2.51.2.6

Impact

  • In-memory ELF execution via memfd_create bypasses file-based EDR
  • Compromised developer hosts mine Monero for the attacker
  • Resource theft on CI runners that resolved the typosquat

What to do

  1. 1Remove sympy-dev wherever installed; the real package is sympy
  2. 2Hunt for outbound traffic to 63.250.56.54 and 185.167.99.46
  3. 3Check for unexpected memfd-backed processes on Linux build hosts

References

pypi-2026-01-17-sympy-dev-miner