Python.org's been targeted quite enough alright[1].
PyPI is arguably more secure though the surrounding implementations are spotty. You can at least verify the package uploader's identity with some certainty using PyPISSH[2], and sign your package with GPG[3]. The problem is, PyPISSH and signing your package with GPG are not required for compatibility reasons.