Was thinking about how to address this generally, since exploits are likely to proliferate. (Wasn't there a recent exploit against many pip packages? Maybe this one - https://news.ycombinator.com/item?id=45179939)

You basically can't trust anything, unfortunately.

Solutions? Consider https://news.ycombinator.com/item?id=44283454