Software package repositories like npm, PyPI, and RubyGems have become targets for supply chain attacks, with malicious packages infiltrating these sources and posing threats to developers and CI/CD systems. JFrog's security research team recently identified several malicious Python packages on PyPI, which were subsequently removed after being downloaded approximately 30,000 times. These packages, including noblesse and pytagora, used simple obfuscation techniques and targeted sensitive information such as Discord tokens, credit card data, and system information, often utilizing public tools for obfuscation and payload delivery. The researchers highlighted the lack of moderation and security controls in public repositories, making them vulnerable to attacks through methods like typosquatting and dependency confusion. They emphasized the need for ongoing monitoring to mitigate these risks and credited Dustin Ingram for his prompt action in removing the threats.