Https is not hackable “yet” so you can’t intercept the traffic in the middle. They intercepted http traffic and swapped the malicious js file in http traffic.
Can't China just issue its own certificates to make the browser see a secure connection to the target server when it talks to a Chinese firewall server instead. I mean they have access to valid root certificates, right?