Some sort of middle ground should have been found where the unpublished package is still accessible as an archive or something. I'd much rather get my package broken than get hacked