Yes, there is a tendency that the official website unknowingly has replaced the package to be downloaded by its users. And so, be vigilant and always verify things. Because it's going to be too late if we find out that we've been a victim already. And we don't want to get into that point. Coming from apps, browser extensions that we use, everything that's executable, check them always.
Most websites does not have PGP signatures that can be used that a file really belongs to the original people that owns the website. I have only noticed just open source wallets that only support bitcoin that have the signatures. If a website does kotnhave the signature, there is no way you can know that the file on the site to download has not been replaced by hackers.
That's right, so it's hard for a user to check it if the downloadable file there is going to be an official one. So, if by any chance there are PGP signatures that can be verified there, much better. But if not, still make sure to check out some updates if there's something wrong or something that has happened to that website recently. But since this malware is specific on crates, always verify and that's the best that we can do about it.