I think you misinterpreted the sentence. They don't need to change the WHOIS client, it's already broken, exploitable, and surviving because the servers are nice to it. They needed to become the authoritative server (according to the client). They can do that with off-the-shelf code (or netcat) and don't need to mess with any supply chains.
This is the problem with allowing a critical domain to expire and fall into evil hands when software you don't control would need to be updated to not use it.
Yes, getting through the article I was happy to see that wasn't the case and was just vulnerabilities that had existed in those programs.
Definitely they could have worded that better to make it not sound like they had been intentionally contributing bad code to projects. I'll update my original post to reflect that.
This is the problem with allowing a critical domain to expire and fall into evil hands when software you don't control would need to be updated to not use it.