Shai-Hulud strikes again and continues to turn innocent packages into zombies.

Think twice before looking at a package and most importantly, always pin your dependencies.

Yeah, pin the malware :p

	▲	rvz 4 hours ago \| parent [-]
		Nope. Those on pinned versions don't get the malware. You would have to publish the infected package first to infect others who haven't pinned their dependencies. With a simple pip install -U, and if the dependency is not pinned, then they will get the vulnerable version.