Yes, but the exploit was with Github Actions not something that pnpm really prevented.