This malicious PyPI package mixed source and compiled code to dodge detection