That massive GitHub supply chain attack? It all started with a stolen SpotBugs token