I wonder if this is a “precursor” attack to the likes of a solar-winds style compromise?

Get into their dev env (ideally unnoticed), exfiltrate the sensitive code you need, poke around their systems. Once you’ve got a handle on their code and have figured out what to add, do so and just begin the waiting game.

Maybe that’s all happened, and this attack is “air cover” for the last-stage.