This decision follows two security incidents. The first was last October where GitHub discovered an issue caused by maintaining a routine of a publicly available NPM service. While maintaining the database that powers a public replica of NPM, records were created that could expose private package names. This briefly allowed replica clients to potentially identify private package names through records posted to the public change stream.
A flaw fixed in 6 hours
No other information, including the contents of private packets, was accessible at all times. Those, private, in @owner/package format and created before October 20 were exposed between October 21 and October 29, when investigation began on a fix and determination of the scope of exposure. All records containing private package names were removed from the replicate.npmjs.com service on this date. Changes have been made to prevent the issue from reoccurring.
The other incident took place on November 2. GitHub received a report of a vulnerability that offered an attacker the ability to release new versions of any NPM package using an account without proper authorization. The flaw was fixed within six hours of receiving the report.