Two malicious versions of two Python packages were introduced in the Python Package Index (PyPI) with the purpose of stealing SSH and GPG keys from Python developers’ projects. […]

from https://www.bleepingcomputer.com/news/security/malicious-python-package-available-in-pypi-repo-for-a-year/