A package-chain compromise can do more than slip in bad code - it can turn developer tooling itself into the execution path for a cross-platform Python infostealer.
A years-long software supply chain attack exploited lookalike Go packages to siphon sensitive data from unsuspecting developers’ apps.