I think it could have its own section and have been working on a PR in this regard.
It’s an important issue, especially with software these days having a lot of external dependencies.
We see some articles about it for modern tooling:
- How Go Mitigates Supply Chain Attacks - The Go Programming Language
- Node's Security Problem
- Build a More Secure Web using npm with Deno
- Rust Foundation - Improving Supply Chain Security for Rust Through Artifact Signing
- Supply-chain attack hits RubyGems repository with 725 malicious packages | Ars Technica
- NPM supply-chain attack impacts hundreds of websites and apps
- No Unaccompanied Miners: Supply Chain Compromises Through Node.js Packages | Mandiant
- Malware Found in Arch Linux AUR Package Repository
- Report for vulnerabilities in Oh My Zsh (2021-11-12) · Issue #10414 · ohmyzsh/ohmyzsh · GitHub
We also see some examples of that in:
One of the most famous ones in the past was the patches that Debian applied to openssl random number generator CVE-2008-0166. I’m not sure whether malicious intent was ever proven like with the XZ vulnerability eg (purposefully obfuscated code).