Supply-chain compromise has moved from targeted espionage tool to volume business — and a single group is now responsible for an attack pace that package maintainers and platform operators alike are s