A stream of malicious npm and PyPi packages have been found stealing a wide range of sensitive data from software developers on the platforms. […]
from https://www.bleepingcomputer.com/news/security/ssh-keys-stolen-by-stream-of-malicious-pypi-and-npm-packages/