Two malicious versions of two Python packages were introduced in the Python Package Index (PyPI) with the purpose of stealing SSH and GPG keys from Python developers’ projects. One of them, using typosquatting to impersonate a legitimate library, resisted for about a year in the repository. The other survived for just a couple of days. The two bad packages discovered in PyPI were added under the same developer name, olgired2017. They worked as the originals, except for the malicious code, so developers using them would not see a difference.
Source: https://www.bleepingcomputer.com/news/security/malicious-python-package-available-in-pypi-repo-for-a-year/