Source distributions (sdist) can execute arbitrary code during installation via setup.py, making them a common attack vector for supply chain attacks. Unlike pre-built wheels, source distributions ...
In the PyPI attack, a malicious pull request exploited a script-injection flaw in a GitHub Actions workflow to add base64-encoded infostealer code to release 0.23.3, also affecting the project's ...