I'm a lot less worried about this than I am about MELPA packages being targeted. But any other editor that incorporates a package manager exposes the same threat surface, and just about all of them are a lot more popular (thus more worth targeting) than Emacs.
Yes, it boils down to "be careful with untrusted code" no matter where it comes from. This is certainly not unique to emacs.
I'm starting to get "return to notepad++" vibes from HN today.
Well I use mostly stock emacs. If that's already owned, then I guess I'm screwed. I'm very selective about adding additional packages or using other "uninspected" elisp code.