Good move, removing some incentive from the security theater industry to exaggerate, or even manufacture, problems then “solving” them, while gaining some free ad space and “credibility” in the process, which is something I already pondered in a previous thread that had a bad smell.

Reported: December 9, 2025
Issued: February 12, 2026

Does this mean it took two full months from the time some obvious “typosquat” packages got added and immediately reported before they were removed? That’s for the “finch” ones, looks like they got the others right away. Maybe they were not so obvious?