"bandit" (available in pypi) is a nice static analysis tool - I don't remember if it is able to recurse into dependencies though

[safety](https://pyup.io/safety/) is a commercial product that monitors your dependencies for this kind of shenanigans

LGTM.com seemed to be working in this area - Semmle was acquired by github/microsoft