Here’s a preprint paper from
Marc Ohm, Henrik Plate, Arnold Sykosch, and Michael Meier looking at
attacks on language-specific repositories. “Recent years saw a
number of supply chain attacks that leverage the increasing use of open
source during software development, which is facilitated by dependency
managers that automatically resolve, download and install hundreds of open
source packages throughout the software life cycle. This paper presents a
dataset of 174 malicious software packages that were used in real-world
attacks on open source software supply chains, and which were distributed
via the popular package repositories npm, PyPI, and RubyGems. Those
packages, dating from November 2015 to November 2019, were manually
collected and analyzed. The paper also presents two general attack trees to
provide a structured overview about techniques to inject malicious code
into the dependency tree of downstream users, and to execute such code at
different times and under different conditions.“

Source: LWN.net – A review of open-source software supply chain attacks