The people in possession of the data are not the ones who will use it. I have not seen the gpg keys in the file list. Their mission is to simply get paid. If they don’t get paid then they release the data which is where the problem is. I don’t think there is any current risk to modules at this time. The risk will present when the data goes in to the wild and people with various motives use it.
Back to the land of speculation without a postmortem we don’t know the attack vector, nor do we know if others have compromised the network in the same or more nefarious ways. In the end I think the module repo is the lowest risk. It comes down again to what data ultimately sees the light of day, who actually sees that data and what they do with it. My guess is the safest states of the data are now and if/when they get paid. They want a payday plain and simple. Additional attacks or messing with stuff would hurt that possibility.