Yes, if you control the index, you can lie to pip about what the package's hash should be. This is why you have to opt in to using a different index, and why the connection to PyPI has been properly secured since forever (https://github.com/pypa/pip/issues/425 ; note the date).

Once pip supports installation from a PEP 751 lockfile (should be very soon, by my understanding), presumably this won't work, unless the lockfile is already compromised.

The clearly AI-generated README is also confused about how this works. It claims:

> Intercepts package index requests and rewrites URLs to point to the malicious mirror

but it's actually implementing a malicious mirror by forwarding requests to PyPI and then serving a modified version of the PyPI result. "Preserves and updates SHA256 hashes for modified packages" is also an incoherent description; preserving something and modifying it are mutually incompatible.