[nicce]

> The supply-chain attack is a self-inflicted attack

It is attack regardless. Someone has made something malicious which affects for the process for the end-user acquiring the final software.

> it seemed pretty clear to me that GGP misunderstood this as malicious code being inserted into existing trusted repositories, which is a common misunderstanding in the rest of the comments, and seems to be encouraged by the poor wording of the tweets.

I think the author just wanted to get attention and be sensational. He deliberately did not mention that they are forks. Just rushed to report findings.