PyPI is actively scanning for these types of packages and responding to reports. There are lots of people doing things to defend you against each one of these attacks. The threat from typo squatting is a race condition. It's that somebody uploads a malicious package that doesn't look malicious enough to get automatically caught in these various ways.