The dependency pathway now correctly references the secured version of the targeted package. The harmful version was published at 13:16 UTC and seems to have been removed.