The notification you received was the result of an audit of the registry for credentials that appeared to have been leaked as part of a package publish. The credentials were sitting in a file in the same directory as your module, and got published along with all the other files. To ensure your security, we invalidated all such credentials.
The audit was a combination of manual and automated inspections, so it's possible that your notification was the result of a false positive. We're currently looking into your case specifically, to get details of the exact tarball and which file triggered this. We'll update you as soon as possible.
[for the user who complained this was late, and only that user]
You're right that this notification is long after the fact. As of today, a continuous scanner is in place such that notifications will be instant in the future. We were aware that credentials could leak in this way, but were surprised by how widespread it had become, hence only implementing the scanner this week. We are a quickly growing community and events that were once rare are becoming frequent enough to require systemic fixes, and we appreciate your patience as we grow into these.