Brett CannonRE: https://infosec.exchange/@dangoodin/116285175398594132
Notice how the compromised releases were directly uploaded. This is why `pylock.toml` includes attestation data and trusted publishing is important. If the project used trusted publishing then their the lack of attestation data could have been noticed in a diff of the lock file as it would have suddenly disappeared (which is also why `pylock.toml` was designed to be human-readable).
Juan Nunez-Iglesias