Article from https://hackaday.com/2018/10/31/
when-good-software-goes-bad-malware-in-open-source/

Open Source software is always trustworthy, right? [Bertus] broke a story
about a malicious Python package called "Colourama". When used, it secretly
installs a VBscript that watches the system clipboard for a Bitcoin address,
and replaces that address with a hardcoded one. Essentially this plugin 
attempts to redirects Bitcoin payments to whoever wrote the "colourama" 
library.

Why would anyone install this thing? There is a legitimate package named 
"Colorama" that takes ANSI color commands, and translates them to the Windows
terminal. It's a fairly popular library, but more importantly, the name 
contains a word with multiple spellings. If you ask a friend to recommend a
color library and she says "coulourama" with a British accent, you might 
just spell it that way. So the attack is simple: copy the original project's
code into a new misspelled project, and add a nasty surprise.

Sneaking malicious software into existing codebases isn't new, and this 
particular cheap and easy attack vector has a name: "typo-squatting".  But 
how did this package get hosted on PyPi, the main source of community 
contributed goodness for Python? How many of you have downloaded packages 
from PyPi without looking through all of the source? pip install colorama? 
We'd guess that it's nearly all of us who use Python.

It's not just Python, either. A similar issue was found on the NPM javascript 
repository in 2017. A user submitted a handful of new packages, all 
typo-squatting on existing, popular packages. Each package contained 
malicious code that grabbed environment variables and uploaded them to the 
author. How many web devs installed these packages in a hurry?