Most malicious packages are published, are up on pypi for a day or two and then detected and taken down. If people never upgraded until a library had been up for a week or two, enough time for the community to realize there was a problem, then this would affect people upgrading on an unlucky day.
Most malicious packages are published, are up on pypi for a day or two and then detected and taken down. If people never upgraded until a library had been up for a week or two, enough time for the community to realize there was a problem, then this would affect people upgrading on an unlucky day.