More than 200 malicious packages were discovered infiltrating the PyPI and npm open source registries this week. These packages are largely typosquats of widely used libraries and each one of them downloads a Bash script on Linux systems that run cryptominers.
When the site you’re pulling actual executable code from has essentially no moderation or pre-publish screening, you’re going to have a bad time. There’s a reason it’s so annoying and takes so long to get a new package into the official package repos for large Linux distributions, and it’s not just to spite you.
Just be glad no one’s tried pushing ransomware with these unmoderated managers.