https://www.bleepingcomputer.com/news/security/pypi-packages-caught-sending-stolen-aws-keys-to-unsecured-sites/

Multiple malicious Python packages available on the PyPI repository were caught stealing sensitive information like AWS credentials and transmitting it to publicly exposed endpoints accessible by anyone.

PyPI is a repository of open-source packages that software developers use to pick the building blocks of their Python-based projects or share their work with the community.