PyPI package 'keep' mistakenly included a password stealer


The backdoor was discovered in PyPI packages ‘keep,’ ‘pyanxdns,’ and ‘api-res-py’ due to the presence of a malicious’request’ dependency in some versions.

BleepingComputer contacted the authors of each of these packages to find out if the problem was caused by a simple typo, self-sabotage, or hacked maintainer accounts. Read More…