Top open source PyPI package with over 1 million downloads each month hacked to send out malware

This was not a case of stolen credentials, but rather of vulnerability exploitation.
Hosted on MSN

GitHub hit by critical RCE flaw and PyPI malware attack

GitHub has disclosed a critical remote code execution flaw, CVE-2026-3854, exploitable via a single git push, and a popular PyPI package tied to GitHub Actions was hacked to deliver malware. Both ...

PyPI package with 1.1M monthly downloads hacked to push infostealer

An attacker pushed a malicious version of the popular elementary-data package Python Package Index (PyPI) to steal sensitive ...