The SolarWinds megahack underscores what security mavens have been warning about for years: The software supply chain is complex, vulnerable, somewhat invisible and insufficiently protected.
For example, on Dec. 2, 2020, eleven days before the government’s announcement that it had been hacked, we quoted sources warning that the software supply chain is extremely vulnerable to cyberattacks, primarily because of the many links in the chain that are potentially invisible or unknown to design engineers. Our sources said attacks are especially likely during and after firmware updates, which is precisely how the SolarWinds hack occurred: during updates of Orion software that was trojan-ized to deliver malware.
https://www.embedded.com/software-suppl ... ulnerable/