Signed code attacks are easy and a dime-a-dozen. Code signing certs are everywhere and easy to obtain. China and Taiwan have hundreds of code signing certs they can use to create or compromise products, and they do it all the time. The media is pretending this is novel and they obviously fooled you.
Other software supply chain attacks are through unsigned open source, also quite common. The US military has a ton of open source in it, supposedly all vetted but its not.
Vulnerabilities are a hidden way to allow adversaries to gain access to a product. For example a voting machine company can use SW that they know is vulnerable, advertise that fact on their website, and expect that enemies can use that information to meddle in elections.
A good example of the latter is Adobe. Inserting Adobe components is not much more than a way to make sure that a product is hackable.
Why would any company do that, you might ask. The answer is simple: $$$.
See my prev comments on this matter.
Signing your malicious code with a random cert is trivial, but creating your own binary signed by ‘microsoft’, or ‘solarwinds’ or ‘etc’ is hard. Inserting it into their update program is harder. I know cause i have done it. Very stressful, cause its on you if something is wrong and there are insane audit trails that do not go missing.
Unsigned ‘open source’ is not even in the same ball park’
Yes Adobe (flash product) has been a clusterf#(k forever but that has nothing to do with this.