More reason to double check your download hash.

https://www.bleepingcomputer.com/news/security/open-source-repositories-flooded-by-144-000-phishing-packages/