Apparently, yes. My guess is it was the Shai-hulud npm malware leaking their Github keys.