A Software Building Management Plan (SBOM) is a structured list of all software components – including versions, licenses, and origin. It helps companies gain transparency into their software landscape and respond quickly to threats.
A new example of sophisticated software supply chain attacks reveals just how cunning threat actors have become in infiltrating corporate networks without leaving a trace. In January 2026, a manipulated package was discovered in the official Python Package Index (PyPI) disguised as a legitimate development version of the popular SymPy library. Instead of delivering mathematical functions, it secretly installed a cryptominer on affected Linux systems.
This attack doesn't just affect developers – it exposes dangerous vulnerabilities in the software deployment of many companies. Anyone using open-source software in development and production environments without accompanying security strategies opens the door to industrial espionage, resource theft, and systematic economic crime.
Whether it's a medium-sized business, a large corporation, or critical infrastructure – this incident is not an isolated case. Leaders in positions of responsibility – CEOs, CIOs, CISOs, and CSOs – must recognize that the attack surface has expanded. And with it, the risks to intellectual property, operational stability, and reputational damage.
In this editorial, we will show you exactly what happened, how you can make your organization resilient with the support of ProSec, and what this attack means for your software security strategy.
The package released as "sympy-dev" deceptively imitated the original project.SymPy“– a widely used Python library for symbolic mathematics. The catch: The manipulated version contained the same project description as the original to inspire confidence. More than 1.100 downloads were registered – enough to assume that real systems were compromised.”
The malicious function in this case was deliberately hidden in such a way that it is only activated when specific mathematical functions ("polynomial routines") are used. A digital "sleeper" in the development environment – with fatal consequences: Once activated, the package loads an XMRig cryptotomizer and executes it on the Linux host via a memory-based mechanism (memfd_create), without leaving any trace on the hard drive.
An attack that not only steals CPU resources but also provides valuable entry points for downstream attacks such as data exfiltration, espionage, or extortion – because the malware also serves as a generic loader to execute further attacks. Reload code.
These techniques follow the pattern of other complex supply chain attacks, as observed in previous attack series such as "FritzFrog" or "MIMO" [e.g. documented here ]
What makes this incident so dangerous is not crypto-mining itself, but the underlying pattern of targeted deception in the supply chain.
Anyone relying on third-party software components today – especially open-source software – is making a business-critical decision. This is because software dependencies are deeply integrated into build processes, products, and customer interfaces. The entry point for such malicious code components is usually not in traditional operations, but in the development environment – precisely where many companies have implemented little to no visibility or protection mechanisms.
At the same time, open-source packages are essential for agility, innovation, and competitive advantages. The dependency is real – but it can be mitigated.
In this specific case, it was a classic case of "cryptojacking"—that is, the covert exploitation of IT resources for mining cryptocurrencies, in this instance using XMRig. But that's just the tip of the iceberg. Modern, structured attackers often use such initial infections to systematically gather information, map networks, and selectively infiltrate vertical industries—for example, in mechanical engineering, research, or the defense sector.
The attackers' business model has become more professional. It involves long-term theft of intellectual property, extortion, sabotage, and the reliable monetization of compromised companies.
The biggest weakness we repeatedly observe at ProSec in project analyses and incident response scenarios is that companies rely too heavily on traditional endpoint and network security. Attacks like this one, however, occur in the "gray area"—during development, between the IDE and the repository, within seemingly harmless libraries.
Traditional security tools fail to detect disguise as legitimate packets or memory-based execution without disk artifacts. Furthermore, critical processes, such as those in CI/CD pipelines, are often not considered security-relevant – a misconception.
A recent analysis of the MITRE ATT&CK framework clearly shows that attackers are increasingly relying on techniques in the Initial Access and Lateral Movement phases that work with so-called Living-Off-the-Land (LOTL) tactics – i.e., legitimate functions within the system that are repurposed for malicious purposes. to let.
Reactive measures are no longer sufficient. Companies must establish supply chain security as a company-wide discipline – involving management, purchasing, legal & compliance, development and IT security.
C-level executives must be able to answer the following questions, among others, with a clear security concept:
At ProSec, we help companies not only to identify the right technical tools, but above all to implement holistic security strategies that deliver business benefits. Our focus is on the sustainable resilience of your digital supply chains – regardless of whether you develop in-house or work with service providers.
Our service portfolio includes:
We not only provide technology, but also link it to your business goals. Security reduces entrepreneurial risk, strengthens your market position – and builds trust with customers and investors.
Let's work together to prevent simple software from becoming a gateway for sophisticated attacks.
A supply chain attack aims to exploit vulnerabilities in upstream processes or suppliers – e.g., by falsifying software packages, exploiting security gaps in third-party vendors, or using compromised build tools.
This is a Linux function for creating memory-based file descriptors. It allows programs to be executed directly in memory – thus making them more difficult to identify, since no file is stored on the disk.
A cryptominer uses a computer's computing resources to generate cryptocurrencies – usually without the user's knowledge. XMRig is a common example, especially in the context of unauthorized mining attacks (so-called cryptojacking).
Python packages are reusable software modules that are publicly accessible via central platforms such as the Python Package Index (PyPI). Developers often integrate them into their own programs – which provides an ideal entry point for attackers.
A Software Building Management Plan (SBOM) is a structured list of all software components – including versions, licenses, and origin. It helps companies gain transparency into their software landscape and respond quickly to threats.
