> If people stop running install scripts, isn't Shai-Hulud 3: Electric Boogaloo just going to be designed to run its obfuscated malware at runtime rather than install time?

Many such forms of malware have already been published and detected.

> Who manually reviews new versions of their project dependencies after installing them but before running them?

One person putting in this effort can protect everyone thereafter.

The PyPI website has a "Report project as malware" button on each project page for this purpose.

But yes, this is the world we live in. Without this particular form of insecurity, there is no "ecosystem" at all.