I'm worried that this is going to be seen as a reason to not take "CRITICAL" disclosures seriously at first glance like we should. A "CRITICAL" bug MUST be treated as if it was critically bad. From a community health perspective, people have been told that something really bad is …

A few full days of searching for private package names belonging to some of the targeted companies revealed that many other names could be found on GitHub, as well as on the major package hosting services — inside internal packages which had been accidentally published — and even within posts on various …