If it wasn't clear before that everyone should get off travis (and it was), this should be the thing that makes it clear. This is not a trustworthy company anymore. Which is sad when they really used to be.
Private equity running it into the ground.
My concern now is that I will need to double check all my npm dependencies that could have potentially been affected by this, because it's very feasible that creds were leaked that could lead to an attacker surreptitiously injecting malicious code into a build.