It's nothing new, using library programming distribution is common way to spread malware.
Unfortunately this is true, and we can do nothing to cut off this way.
Although it's weird malicious package called "disgrasya" downloaded over 37K times, when searching "disgrasya" on Google leads to dictionary/language website rather than programming website.
This is likely due to PyPI's prompt action in immediately removing the 'disgrasya' package from repository after it was identified as malicious.
Nothing to index for Google's bots.
P.S. I don't think this thread belongs on "Beginners & Help", since average people don't need to install Python package manually.
Agreed and move it here.