Update:
The NY Times published a story today citing intelligence sources that answer the question of how the supply chain was accessed.
Apparently, it was not during shipment, and Israel did not buy the pagers and then modify them.
Instead they are the people that started BAC Consulting in Hungary, and a number of other shell companies. They created the company, signed a legitimate contract with Gold Apollo for production, and even sold legitimate pagers to customers.
When they got the contract for the Hezbollah pagers they modified the designs to add different firmware and explosives, and then sent them along like any other normal shipment.
In some ways, strangely, this is comforting. A supply chain interdiction of this scale would be deeply concerning. In this scenario, if this shows itself to be true, the amount of work involved in the operation was extreme, and is unlikely to be repeated in this exact way again.
Though this did not happen through supply chain interdiction, and instead involved a far more elaborate ruse, they still did start a shell company that legitimately made pagers. That should still focus our attention on what devices we use, where they come from, and what they contain.