npm Tooling Bug Incorrectly Marks One-Character Packages as Security Holders

npm unintentionally applied security-holder metadata (e.g., `0.0.1-security`, `0.0.1-security.0`) to multiple one-character packages and moved the `latest` dist-tag to those placeholders due to a tooling bug; older versions remained available, there is no public evidence of package compromise, npm has reverted the markings, and developers should check lockfiles (e.g., `package-lock.json`, `yarn.lock`, `pnpm-lock.yaml`) for the placeholder versions.