It does attack the supply chain. It attacks the provider of documentation. It's an attack on the documentation supply chain.

It would be like if you could provide a Windows Update link that went to Windows Update, but you could specify Windows Update to retrieve files from some other share that the malicious actor had control of. It's the same thing, except rather than it being a binary rather it is documentation.