Beware typo-squatting: Package with name all lowercase was malware

See this [GHSA](https://github.com/advisories/GHSA-gp5q-mxgh-g2wx)
~~My brief look at the code/npm repo indicate nothing overly untoward, there is no public discussion regarding this issue - yet it's being listed with a fairly stark warning.~~

~~Does anyone have any insights what's going on here?~~