Secondly stop trusting pip/pypi. You -can- upload gpg package signatures but clients totally ignore them. There is no way to verify the author of a pip package except by hand today.
Let me be really clear here. When you install a pip package you are executing arbitrary code from the internet with unknown authorship.
Pip is fundamentally broken until signature validation is implemented. Whenever possible use OS package managers like apt which actually verify authorship and integrity.
Package signing and verification works for distros, because significant effort is spent on curating keyrings of trusted keys. (And even that isn't foolproof! See https://bugs.debian.org/842939 for the latest example.)
It's not clear how automatic signature verification could work for pip. Who's going to decide which keys are trusted?
Edit: digging through Reddit comments more suggests the repo owner may have been hacked as commit blame shows his user made the changes. In this case: a Blacklist wouldn't help and my suggestion may already be in place.
The author of the package claims to be a "victim" here, but it's hard to tell. Too bad pip doesn't support package signing.
1) can paramiko.RSAKey handle other encryption schemes (ED25519) ? If not, folks using non-RSA keys wouldn't be affected..
2) Having a (strong) passphrase for your key file would help prevent the perp from doing any harm with the key(s), or at the very least would give you time to invalidate the key(s). Right?
