A Chinese-linked cyberespionage group has pulled off a classic software supply-chain ambush, compromising a popular open-source coding tool and turning trusted updates into a stealthy delivery system ...