Six malicious packages were caught in PyPI repository for Python projects that turned developers’ workstations into cryptomining machines. The packages were published by the same account and tricked developers into downloading them thousands of times by using misspelled names of legitimate Python projects. At detection time, the packages had accumulated almost 5,000 downloads since April, with maratlib recording the highest download count, 2,371. The malicious code is contained in the setup.py file which is a build script that runs during a package s installation.
Source: https://www.bleepingcomputer.com/news/security/malicious-pypi-packages-hijack-dev-devices-to-mine-cryptocurrency/