From darkreading.com
An unidentified group of threat actors orchestrated a sophisticated supply chain cyberattack on members of the Top.gg GitHub organization as well as individual developers in order to inject malicious code into the code ecosystem.
The attackers infiltrated trusted software development elements to compromise developers. They hijacked GitHub accounts with stolen cookies, contributed malicious code via verified commits, established a counterfeit Python mirror, and released tainted packages on the PyPi registry.