The Python project “Ultralytics” recently experienced a supply-chain attack where versions 8.3.41, 8.3.42, 8.3.45, and 8.3.46 were affected and had to be removed from PyPI. Although the attack was successful, PyPI was able to audit the situation thanks to Trusted Publishing and PyPA’s publishing GitHub Action. The attack highlighted the importance of securing software forges and build workflows for open source projects. To improve security, API tokens can be revoked if unused for an extended period of time, and developers can harden their build and publish workflows. Additionally, PyPI is working on new systems to reduce malware availability on the platform.
https://blog.pypi.org/posts/2024-12-11-ultralytics-attack-analysis/