1. I check the python based dependencies for all applications I use pretty carefully (and don't use pip/PyPi at all, either the OS repo or compiling python source is the way to go)
2. not yet have I found something on PyPi that has source that I cannot byte-compile myself and install into Python's annoying package system
3. I can read/write python, and so I understand python just about well enough to be able to review code for weird/suspicious looking tricks such as in the OP, it'd have to be a more subtle trick to work
With such paranoia i have better idea for you: create code in default notebook and compile it outside of your computer.
For example here -
https://repl.it/languages/python3Also, i'm very doubt that you're check all dependencies and source code for applications, of course, if you're not using 2-3 python applications and don't have any offline life. (or if you not working in code audit company) Because it's impossible to do for one person, due to number of updates, number of source code etc.
If you want, and do not trust to how pip download packeges, you can download wheels from
https://pypi.org/simple/ and setup it by yourself with pip help (building with pip through local computer).
Because without using pip it's more likely that package or application will be broken in result, than that you get phished.
Also, in Linux, just don't use
sudo pip and install packages in
--user repo or just create virtual env and everything will be fine.