The incident highlights growing supply-chain risks in crypto security as attackers shift from code exploits to abusing trusted software distribution channels.