Comment by cpburns2009

As much as I prefer Python over JavaScript, Python is vulnerable to this sort of attack. All it would take is a compromised update publishing only a source package, and hooking into any of setuptools's build or install steps. Pip's build isolation is only intended for reproducible builds. It's not intended to protect against malicious code.

PyPI's attestations do nothing to prevent this either. A package built from a compromised repository will be happily attested with malicious code. To my knowledge wheels are not required.