A patched authentication bypass in Python.org’s release management API shows how a software supply chain can be threatened without touching the actual installer.