[Python-Dev] SK-CSIRT identified malicious software libraries in the official Python package repository, PyPI
https://mail.python.org/pipermail/python-dev/2017-September/149569.html
[Security-announce] Typo squatting and malicious packages on PyPI
https://mail.python.org/pipermail/security-announce/2017-September/000000.html
And GitHub issues:
Can register packages that match system packages
https://github.com/pypa/pypi-legacy/issues/585
Block package names that conflict with core libraries
https://github.com/pypa/warehouse/issues/2151