The report released by Checkmarx in regards to this attack states: “These attacks demonstrate again that cyber attackers have started to focus their attention on the open-source package ecosystem; We believe this trend will only accelerate in 2023.”
When installing any software from open-source resources such as PyPI or GitHub, it is crucial to be skeptical and to perform due diligence by doing things like reviewing the code base, ensuring proper spelling of packages to avoid typosquatting, verifying GitHub statistics on PyPI packages, searching the internet for 3rd party references to the desired software, and using official OS packaging systems instead of open-source packaging systems whenever possible.
https://www.bleepingcomputer.com/news/security/tiktok-invisible-body-challenge-exploited-to-push-malware/
