This occurs when a private package fetches a similar public one, leading to exploit due to misconfigurations in package managers
The new document is the first release from NSA’s Artificial Intelligence Security Center (AISC), in partnership with other government agencies in the US and other Five Eyes countries