Cybersecurity researchers at ReversingLabs found vulnerable code in legacy Python packages that could lead to supply chain attacks on the Python Package Index (PyPI). The issue arises from bootstrap scripts associated with a deployment tool called zc.buildout. These scripts can fetch and execute an outdated installation script for a package called Distribute from a now-unclaimed domain, python-distribute.org. This domain has been for sale since 2014, which poses a risk. If an attacker gains control of the domain, they could serve malicious code to users running the bootstrap script. Several popular packages, including tornado and pypiserver, still include this problematic bootstrap script. Although some have removed it, slapos.core continues to ship vulnerable code. The script is written in Python 2, making it non-executable in Python 3 without changes. However, its presence increases the risk of exploitation if developers inadvertently trigger it. The potential for attack is real—past incidents, like the compromise of the npm package fsevents, highlight how attackers can seize control of unclaimed resources to distribute malware. In a related incident, a malicious package named "spellcheckers" was uploaded to PyPI. Marketed as a tool for checking spelling errors, it instead contained code designed to connect to an external server and deploy a remote access trojan (RAT). This package, uploaded on November 15, 2025, has been downloaded nearly 1,000 times before being removed. Once installed, the RAT allows attackers to execute commands on the victim's computer, showcasing the ongoing risks associated with supply chain vulnerabilities in software development.