This sounds bad. It is, but not quite as bad as you might think at first glance:
Bad actors have created many plausible sounding pypi packages containing malware in the hope that people will mistype the names of popular packages and mistakenly install the malware package.
In this case they have not replaced existing packages with infected versions, which is know as a “supply-chain attack”.
It is worth being cautious, and careful, when installing software from pypi.