This is an increasing problem and I'm not sure how the open source community is going to deal with it. It's been a big problem with NPM packages and also Python libraries over the past five years. There's a bunch of malicious typo-squatting stuff in many package repositories (say you want libcurl but you type libcrul, congratulations it's probably there and it'll probably install libcurl for you and bring a fun friend along).
Now with AI slop code getting submitted, it's not really possible to check every new package upload. And who's going to volunteer for that work?
"We have investigated ourselves and found no problem."