there once was an adblocker called nano which was open source and quite popular. the developer sold the ownership and the new owners injected malware which was then shipped to all chrome users with the extension.

so i don't see why the same shouldn't work for pypi packages and i also don't understand why noone saw this coming. with how many companies have adopted python there surely will be a security vendor willing to provide free package screening for the repo