npm security is a bit of a dumpster fire. Github blog post.
The two security issues fixed here (in the order they're presented, which is half way down the page and in the reverse of the severity):
- Private package updates were being published to the public stream of updates for over a week. Leaking company / package names, which is perfect information for namespace clashes.
- An issue that allowed "an attacker to publish new versions of any npm package using an account without proper authorization". Literally a vulnerability that let an attacker update any npm-hosted package.