Oddbean new post about login | logout Manifest confusion attacks also work on PyPI: https://stiankri.substack.com/p/manifest-confusion-in-pypi The initial attack was only demoed on npm: https://blog.vlt.sh/blog/the-massive-hole-in-the-npm-ecosystem