The reaction (removing the package) is also similar to an inexperienced developer when confronted to their first vulnerability report.

Assuming good intentions (debugging) rather than malice was at play, communication is key: drop the malicious version of the package, publish a fix, and communicate on public channels (blog post, here on HN, social media) about the incident.

A proper timeline (not that AI slop in the OP article) also helps bring back trust.