PyPI is often treated as a very trustworthy source of packages; in reality, anyone can upload a package to be distributed by PyPI. It is recommended to install python libraries using built-in operating system package managers where possible. For example, on Debian based Linux systems using apt(8), it is recommend to use: apt install python3-. Repositories maintained by Linux operating system developers typically have more stringent requirements for new packages.
In the event that using an operating systems package manager is not possible, or in the event that the package hasn’t been added to upstream repositories for a particular OS, it is advised to verify the spelling of the required package. Finding documentation online that matches the desired package can assist in verification. Users can also check https://pypi.org and search for the package that they need, and do a cursory check to see if the name of the package matches the contents of the project description.
https://blog.phylum.io/phylum-discovers-dozens-more-pypi-packages-attempting-to-deliver-w4sp-stealer-in-ongoing-supply-chain-attack
