@codepo8 Are there any more details anywhere? If the package mentioned at https://news.ycombinator.com/item?id=43184630 was indeed the affected version (I don't think there's a way to check, given that it was pulled?), then a quick glance doesn't show anything obviously malicious in the code...

(It's obfuscated, but the obfuscation does not exactly seem to be very strong, and it doesn't seem to make any attempt to hide the identifiers, so you can gather a lot even from the obfuscated code)