In what’s a new kind of software supply chain attack aimed at open-source projects, it has emerged that threat actors could seize control of expired Amazon S3 buckets to serve rogue binaries without altering the modules themselves.