I have mentioned about the hardware supply chain compromises; the software component is lesser known though. The linked write up sheds light on this:
Let’s talk about supply chain attacks and backdoored dependencies
What makes supply chain attacks particularly attractive is that they are cheap and easy to execute as they (most of the time) don’t require exploits, the attack surface is huge, they can have a large reach, with packages downloaded 1M+ times a week for example, and because they allow remote code execution on developers’ machines, the exfiltrated data and credentials can be used to reach even more targets which make them a good way to spread a worm.
The write up is complex for me to understand, but there are many links here to follow through what the author has compiled.
RadOncNotes 