Comment by AbanoubRodolf

The 46-minute window isn't really a scanner throughput problem. The .pth file vector specifically requires a new detection rule because traditional malware scanners were looking at setup.py and wheel entry points, not site-packages .pth files. Python runs .pth files unconditionally at interpreter startup, so they're actually a cleaner injection point than the typical "pip install runs malicious setup.py" attack.

A static scanner that flags `import subprocess` or `exec(` in any .pth file added by a package would have caught this in under a second at upload time. The tradeoff is false positive rate: there are probably a handful of legitimate packages that do process spawning from .pth files for env setup. Worth auditing the PyPI corpus to find out how many.