Personal experience
It doesn’t seem that rare to me. I am not sure what happened exactly in the current case (request). But I certainly now “own” a PyPI name that had seen at least 1 release before I took ownership of it (I didn’t know it had had a previous owner and had already seen a release before, but I can see it in the project’s journal on PyPI). Now as far as I understood, existing but seemingly abandoned projects are carefully reviewed by PyPI’s maintainers before being handed over to a new owner (PEP 541; there are quite some cases, see: PEP 541 requests on GitHub). So I can only assume that this project I now own has been considered as having no dependents and safe to hand over.
Opinion
I believe this can of course be mitigated by pinning versions (and using hashes).
I do not know if transferring ownership is the right thing to do at all.
I feel like (and I believe it has been discussed in other threads already), using namespaces would add another level of mitigation (à la user/foo, organization/foo, company/foo, malware/foo; although it would be easy to come up with ogranization/foo which would only move the typo slightly to the left). But for it to be possible, I believe Python’s import mechanisms should be adjusted as well (probably quite a lot of work, if even possible at all, or maybe – wishful thinking – it could be as simple as enforcing import organization.foo vs. import ogranization.foo; and even more unrelated wishful thinking import organization.foo['1.2.3'] as foo123 for multiple versions of the same project in a single environment).
Questions
I wonder what kind of processing happens on PyPI’s side when distributions are uploaded. Would it be possible, sensible, and helpful to run some kind of malware detection (bandit?) on incoming distributions?
Links
Most likely, all of this has been discussed already. I’d be thankful for links.
I already found (and currently reading) those: