Researchers found insecure bootstrap scripts in legacy Python packages that could allow attackers to exploit a domain takeover. The scripts fetch an outdated installation package from a now-available domain, which poses a risk of executing malicious code. Some affected packages have removed the scripts, but others, like slapos.core, still include them.