I think the same thing happened with the ctx package a few years back (also through PyPI). Not perfect, but I think the best way to avoid is to: 1. Download a source code snapshot of the package (e.g., from github) 2. Audit it (traditionally manually, but now also LLM

→ View original post on X — @rasbt,