Some thoughts:

1. The blast radius appears to be very minimal, the affected github package has 0 stars, 2 contributers, 1 watcher and 4 issues total.

2. The issue was caught and resolved quickly (within a day?).

3. I haven't seen any explanation by the developer on whether there account was compromised?

> a package whose maintainer's account was likely compromised by a malicious actor

They don't say why they think it was an account compromise, rather than a malicious maintainer.

The issue from the researchers appears to be here: https://github.com/timaakulich/fastapi_toolkit/issues/4

This is definitely pretty strange. Account takeovers happen, but just reverting the commit and closing the issue after one gets discovered is not the best way to handle these.

This is the reality of our modern software development process though. Your threat model now must include the GitHub account of every maintainer of every open source project you use.

According to https://pypistats.org/packages/fastapi-toolkit, this package had 158 downloads in total in the past month. This would include automated tools (e.g. this GuardDog mentioned in TFA) grabbing every single package version published.

But of course they have to hype it up with "50k stars", "used by Microsoft, Uber, and Netflix" blah blah, otherwise it's a complete non-story.

Again some esoteric package that likely nobody uses. If you’re worried about such attacks, private registry mirrors can go a long way.

The author worked in Belarus for Wargaming.net until just before making this commit. Wargaming recently withdrew their operations from Belarus and Russia for obvious reasons, and the author appears to have lost his job with them as a result. Combined with the way he nonchalantly reversed the commit and I’m thinking the theory on r/netsec may not be so far fetched.