holy shit.
https://www.reddit.com/r/Python/comments/8hvzja/backdoor_in_sshdecorator_package/
https://twitter.com/x0rz/status/994116668086542336
"The ssh-decorator package from Python pip had an obvious backdoor"
sends host + username + password to an external website