Top open source PyPI package with over 1 million downloads each month hacked to send out ...

This was not a case of stolen credentials, but rather of vulnerability exploitation.
来自MSN

Popular PyPI package hacked to deliver infostealing malware

A widely used open-source PyPI package, elementary-data, was compromised in a targeted attack that inserted infostealer malware via a GitHub Actions vulnerability. The malicious update, version 0.23.3 ...