NPM has yet to respond to any of this, but it appears at least `debug`'s malicious package version has been yanked.

I contacted @porkbun.com about the phishing domain and called support to have it escalated.

Nothing I can do but sit and wait right now. Sorry folks.