The malicious package was available on PyPI, a package index widely used by Python developers. After being notified of it, PyPI's maintainers have removed the malicious package.