Researchers uncovered 20 malicious PyPI packages stealing cloud credentials, downloaded 14,100+ times before removal.