It can be viewed as another type of insider threat. Access through a hardware supply chain may require development and manufacturing of a subverted version of a microelectronic component and a complicated operation to insert the device into the targeted computer, possibly through use of insiders in the supply chain.
A software supply chain attack might involve, for example, a subversion embedded in lower-level system software not likely to be evaluated during testing. Another approach is to subvert the master copy of software used for broad distribution. Even if the software is tested, subversions may be difficult to detect since they would typically be revealed only under circumstances difficult for a defender to discover.