Two malicious Python libraries caught stealing SSH and GPG keys

[xamuel]

>But if they go to pypi, it won't have many installs

If people are using number of installs as a safety metric, can't blackhats game that by having a bot install the package many times?