A researcher going by the handle mschwager on GitHub demonstrated an attack method that abuses the 'setup.py' file in Python modules to perform code execution when the package is installed.

ESET communicated with PyPI to take action against the remaining ones and all of the known malicious packages are now offline. The full list of 116 packages can be found in our GitHub repository.

Setting up uv and working with venvs There are a few different ways to install uv. A common and easy way to get started is to use pip to install uv into an underlying Python installation.

Have you ever wished you could edit Python packages installed locally without reinstalling them? Editable installs are the way.

10 malicious Python packages exposed in latest repository attack Supply-chain attacks are moving GitHub toward digitally signed packages.