Credit: The original article is published here.
This was not a case of stolen credentials, but rather of vulnerability exploitation.
Top open source PyPI package with over 1 million downloads each month hacked to send out malware
Top open source PyPI package with over 1 million downloads each month hacked to send out malware
![[Aggregator] Downloaded image for imported item #124704](https://kcmicro.com/wp-content/uploads/2026/04/GettyImages-1223459427-800x500.jpg "[Aggregator] Downloaded image for imported item #124704")
![[Aggregator] Downloaded image for imported item #124671](https://kcmicro.com/wp-content/uploads/2026/04/p2uWFBGHtrHTjrYSDny87M-1280-80-800x500.jpg "[Aggregator] Downloaded image for imported item #124671")
![[Aggregator] Downloaded image for imported item #62857](https://kcmicro.com/wp-content/uploads/2025/11/5rDPr5xYvLwnkP7ZvpR2w3-1280-80-800x500.jpg "[Aggregator] Downloaded image for imported item #62857")