PyPI is a third-party software repository for Python packages. Everybody can upload packages to it (see The Python Package Index (PyPI)).
- How does PyPI prevent people from uploading malware?
- When I am searching for software, how can I be (more) sure that it is not malware?
- What can I, as a developer of packages, do to make others feel safer using my packages?
- Are there "historic" examples of malware in the repositories? How much harm did they do?
I've asked the question for PyPI, but I'll also be interested in similar repositories like npm (JavaScript) or composer (PHP).
I have asked this question for CTAN (tex) in the tex.SE chat. The answer was there are no security measures. They trust people / developers not to upload malware.