This seems like a much bigger deal. Disclosing private names is not ideal but I think you have to assume your namespace and package names will leak at some point. In my opinion you should prepare for this well ahead of time by ensuring your organization uses a unique namespace/org that matches your internal/private namespace/org and squat on it. This will prevent a supply chain attack where they take a leaked namespace/package, register it and publish packages with higher versions.