No, the reference to May 19 in the article is about a previous supply chain attack against AntV (https://www.stepsecurity.io/blog/shai-hulud-here-we-go-again...). I think there may be some copy-paste mistakes where they reused part of that previous article and didn't contextualize it correctly.
The npm package `@redhat-cloud-services/chrome` version 2.3.1, which was part of this current supply chain attack, was published on June 1. The malicious package version is no longer listed on npmjs.com's web UI since it was taken down, but the publish date of 2.3.1 can still be seen in https://registry.npmjs.org/@redhat-cloud-services/chrome by searching for the version number there, and the publish date was 2026-06-01T10:54:42.121Z.
I find the article extremely annoying for not having a clear timeline of when these malicious package versions were available.
The npm package `@redhat-cloud-services/chrome` version 2.3.1, which was part of this current supply chain attack, was published on June 1. The malicious package version is no longer listed on npmjs.com's web UI since it was taken down, but the publish date of 2.3.1 can still be seen in https://registry.npmjs.org/@redhat-cloud-services/chrome by searching for the version number there, and the publish date was 2026-06-01T10:54:42.121Z.
I find the article extremely annoying for not having a clear timeline of when these malicious package versions were available.