Dynamic dependency resolution, sprawl biasing for TTM, and lack of CI/CD POLA is one of the more frightening industry developments over the past decade. CI/CD systems often have the most access and are the least frequently hardened.
“This attack technique involves hijacking PyPI software packages by manipulating the option to re-register them once they’re removed from PyPI’s index by the original owner; a technique we’ve dubbed “Revival Hijack”.”
https://jfrog.com/blog/revival-hijack-pypi-hijack-technique-exploited-22k-packages-at-risk/