Python Package Index (PyPI) is a repository of software code created in the Python programming language. Researchers at Sonatype found six different malicious packages hiding in PyPI, which have a collective 5,000 downloads, all uploaded by a user with the handle nedog123, according to a blog post. A single malicious package can be baked into multiple different projects infecting them with cryptominers, info-stealers and more, making remediation a complex process.
Source: https://threatpost.com/cryptominers-python-supply-chain/167135/