According to [1] "All affected packages were published via GitHub Actions OIDC from the RedHatInsights/javascript-clients repository, indicating the upstream CI/CD pipeline itself was compromised."
So the malicious package would have gotten the happy little green star, with users assured it was "Built and signed with provenance."