sympy-dev@1.2.6Malicious

Verified

Analysed at: 1/17/26, 3:49 PM

Source: https://files.pythonhosted.org/packages/72/6a/dbe9a938982a771502eaa45da8814c7ea5ca74fa3ae44d5cc7256363b9bf/sympy_dev-1.2.6-py3-none-any.whl

SHA256: 1cc61555320bb3d75fdf361fc4cd50a4bb9a76cccf7566d392672d594c7d3475

Confidence: High

Summary

Note: This report is updated by a verification record

Package downloads and executes code from remote servers, indicating malicious behavior. Multiple files and IPs involved, strong evidence.

Verification Record

The package is marked as malware by OSV: MAL-2026-450 with source: OSV

Details

Note: This report is updated by a verification record

The package contains multiple instances of malicious code execution. Specifically, sympy/polys/polyroots.py and sympy/polys/polytools.py download and execute code from remote servers (185.167.99.46 and 63.250.56.54 respectively) using memfd_create and os.execv, which is a strong indicator of malicious intent. Also, YARA rule http_hardcoded_ip matched these files, further supporting the malicious classification.

Summary

Note: This report is updated by a verification record

Package downloads and executes code from remote servers, indicating malicious behavior. Multiple files and IPs involved, strong evidence.

Verification Record

The package is marked as malware by OSV: MAL-2026-450 with source: OSV

Details

Note: This report is updated by a verification record

sympy-dev@1.2.6Malicious

Verified

Analysed at: 1/17/26, 3:49 PM

Source: https://files.pythonhosted.org/packages/72/6a/dbe9a938982a771502eaa45da8814c7ea5ca74fa3ae44d5cc7256363b9bf/sympy_dev-1.2.6-py3-none-any.whl

SHA256: 1cc61555320bb3d75fdf361fc4cd50a4bb9a76cccf7566d392672d594c7d3475

Confidence: High