Facts:
Only one example: the request package has been published containing an effective malware. It has been removed few days after (once the malware has been discovered). During this time it has been downloaded a dozen of thousand times. There have been no attempt to log or announce about the flaw on the internet that the package have contained a malware.
And it seems that it is not an isolated case. And it is still continuing as is.
Impression:
After asking security@python.org about the latter, I have been advised to post on this forum, maybe the best place to discuss. It appears finally that there is almost no discussion. I essentially learned that the problem is not new, that this place is not the place to speak about problems, and that I should have filled issues into warehouse. I started this thread with the joy that my bad experience could help to make PyPI better, but actually I leaves it being disappointed.
Opinion:
I am quite skeptical about the ability of effectively mitigating the risk using automated malware detection (but maybe I am wrong).