I report all malicious packages I find and it will be removed from PyPI. If you are concerned about malicious packages, I would recommend doing code inspection on packages you are concerned about. Static code analysis has limitations and it only provides an indication if a package has interesting behavior. If a package has interesting behavior, it is still required to do a manual code inspection to determine if it is malicious or not. Similarly, a lack of interesting behavior does not mean a package is not malicious since malicious techniques are constantly evolving. That being said, I have not seen anything interesting regarding the safety package.