The weekend PyPI wave showed how a compromised maintainer account could publish malicious wheels that abused Python startup behavior

It runs JS with Bun in a subprocess from a python program.

It includes a counter-measure to LLM analysis with a comment about biological und nuclear weapons.