Three PyPI packages were found to contain a backdoor due to a malicious dependency within certain versions, thereby exposing users to supply chain attacks. The threat included with the ‘Keep’ package is pretty high as it particularly receives over 8,000 downloads per week on average. Even if PyPI did remove the request package, there are chances that many mirror sites did not entirely remove it, thus there is a threat that it could still be installed.