Good twitter thread with background on the incident. 2,000,000 downloads per week, used by many other core libs. It appears the attacker persuaded the (overloaded) legit maintainer to hand over ownership then backdoored the package in order to attack copay-dash, a cryptocurrency wallet app.
‘It provides legal protections. But the problem is that those protections may not be practically effective. The other problem is the effect that you, as a consenting adult may have on other people who are related to you but who haven’t consented.’ — useful thread
Declarative Airflow Workflows in YAML, from Etsy