XYZ Credit Card Charge

The technique is similar to typo squatting. You find a commonly used package or a website and then you upload something with a very similar name, whether it's a small typo or placing a character with the Unicode version that looks the same unless you actually look at the raw bytes. This wasn't put in intentionally, it was just something that sat around for a really better part of a decade before somebody noticed that it could be abused in this manner. There are an infinite number of ways to make something look real and the naming conventions are all kind of just made up. Things get uploaded and then you kind of have to sit in the wait and this is where the social engineering part comes in for