Reading the recent blog post announcing --install-types, I was concerned that malicious third parties might create a types-$popular_package package and have it recommended or even installed by mypy.

The docs for this feature don't outline any security considerations. Has the risk of malicious packages been considered? If so, what mitigations are in place? It would be great to document this.