sympy-dev PyPI typosquat delivering XMRig cryptominer
A PyPI typosquat of SymPy was published by the account "Nanit" across four versions on Jan 17, 2026. It fetches a remote JSON config, downloads an ELF, and executes it from a memfd to evade disk-based detection. The payload is XMRig mining Monero on infected developer workstations.
- Detected by
- Socket
- Ecosystems
- PyPI
- Packages tracked
- 1
What happened
On January 17, 2026 a PyPI publisher operating as Nanit pushed four versions of sympy-dev (1.2.3 through 1.2.6), a typosquat of the real sympy symbolic-math library. The package was advertised as a development snapshot and reached PyPI's normal search results before Socket flagged it.
The loader fetches a remote JSON config, pulls down a Linux ELF binary, and executes it via memfd_create so the payload never touches disk. The binary is XMRig, a Monero cryptominer, configured to mine to wallets controlled by the publisher.
Resource theft is the headline impact, but the technique — in-memory ELF execution to defeat file-based EDR — is the more useful indicator for defenders. CI runners that resolved the typosquat will show unexplained outbound traffic to 63.250.56.54 and 185.167.99.46, plus memfd: entries in /proc/*/maps on Linux. The real package is sympy (no suffix); audit requirements.txt and pyproject.toml for sympy-dev anywhere.
Affected packages (1)
- PyPI
sympy-dev1.2.31.2.41.2.51.2.6
Impact
- In-memory ELF execution via memfd_create bypasses file-based EDR
- Compromised developer hosts mine Monero for the attacker
- Resource theft on CI runners that resolved the typosquat
What to do
- 1Remove sympy-dev wherever installed; the real package is
sympy - 2Hunt for outbound traffic to 63.250.56.54 and 185.167.99.46
- 3Check for unexpected memfd-backed processes on Linux build hosts