That's okay, but it's not enough - it's easy to swap two letters and do similar substitutions to fool many users. If a package is downloaded 10,000 times every day, surely once in a while someone will misspell the name somehow.

Other than that, their reaction to similar incidents was to wait for somebdoy on twitter to notify them, ban the responsible users, and hope that it won't happen again. It's still extremely exploitable and there are surely many other novel ways of installing malware using the repository that we haven't even heard of yet. The NPM security team is slow to act and sadly doesn't think ahead. They're responsible for one of the largest software ecosystems in the world, they should step up their game.

They could(should?) implement edit distance checks on all new packages against existing packages. If the name is too similar to an existing package name it requires approval.

Yup. The best answer I can come up with given their constraints (some self-imposed) is to force all new packages to be scoped.

how many typosquats on scope names will there be I wonder.

Why assume they’ve already seen it? They probably just haven’t