The commands allow the malware to self-update, with the attackers being able to deliver a new version, as well as additional payloads in the form of Python scripts.

A recent project to scan the main Python repository's 268,000 packages found only a few potentially malicious programs, but work earlier this year uncovered hundreds of instances of malware.

The scan command is: osv-scanner scan image <image-name>:<tag> The scanner now also detects vulnerabilities in other formats of project and container dependencies: Node modules, Python wheels, ...