> More than 3.9 million new files published

> More than 130,000 new projects created

Is there any way to prevent PyPI from becoming a morass of supply chain attacks like NPM etc.? The cited security measures (though some of them like domain resurrection protection are probably very good ideas) seem like they won't, but it also seems like a very hard problem to solve, given the vast scale as well as core issues like malicious (but seemingly innocuous) upstream commits.