Well, whos surprised? Not this guy.
Of course I don't know what these subpoenas where about, but considering ...
https://www.bitdefender.com/blog/hotforsecurity/supply-chain-attack-detected-in-pypi-library/
https://arstechnica.com/information-technology/2021/11/malware-downloaded-from-pypi-41000-times-was-surprisingly-stealthy/
https://www.esecurityplanet.com/threats/supply-chain-flaws-found-in-python-package-repository/
https://labs.sogeti.com/analysis-of-the-biggest-python-supply-chain-attack-ever/
https://portswigger.net/daily-swig/dependency-confusion-attack-mounted-via-pypi-repo-exposes-flawed-package-installer-behavior
https://blog.sonatype.com/another-day-of-malware-malicious-botaa3-pypi-package
https://threatpost.com/cryptominers-python-supply-chain/167135/
... all of that, I think I'm not leaning too far out the window if I hazard an educated guess. And these aren't even cherry picked, I just copy-pasted the first few results from a quick websearch.
Supply chain attacks are a serious problem in the python ecosystem. A problem that needs to be addressed. That includes investigations by authorities. And where else are authorities supposed to start looking?