With the ellipsis expanded: "Due to the XZ backdoor incident, I no longer accept contact from anonymous individuals."
The XZ cracker could have logged in via GitHub at numerous services. I bet that the OP downloads from PyPI that was potentially compromised for longer than a year due to an overlooked token leak.
I further bet that the OP, being in the machine learning space, downloads unauditable, huge Python frameworks from GitHub, conda or PyPI.
People in that space also download and experiment with untrusted models.
But hey, plain text email which you can read in a command line mail client with MIME and other extensions disabled is the problem!
The XZ cracker could have logged in via GitHub at numerous services. I bet that the OP downloads from PyPI that was potentially compromised for longer than a year due to an overlooked token leak.
I further bet that the OP, being in the machine learning space, downloads unauditable, huge Python frameworks from GitHub, conda or PyPI.
People in that space also download and experiment with untrusted models.
But hey, plain text email which you can read in a command line mail client with MIME and other extensions disabled is the problem!