A threat has been identified related to dependencies on private packages during the build and deploy pipeline.
An attacker can create public packages with the same names as your private packages, but in a public repository. These would be fetched instead of your own private package since the public repository will have precedence over the private repository.
The attacker can include any malicious code in their package, which could be executed by any machine that fetches the package, including developer machines, CI/CD and production.
Here’s the original report: