The fact that this was a .pth file is particularly nasty. Unlike a compromised import, a .pth file runs on every Python process, not just ones that use the library. If you had the package installed in a shared environment, every Python script on that machine was triggering the payload.What the hell? Why is that a thing??

RE: https://mamot.fr/users/Khrys/statuses/116286245381869095