Supply Chain Attacks - What Are the Top Attacks?

In reading about this area, many of these attacks were discovered in some cases years after the intruder had penetrated the network. I don't think there's anything remarkably different about supply chain attacks in general, but there are certain ones they can lurk around for a lot longer. If developers passwords get compromised or their laptops get stolen and they happen to be maintainers of a large project on say, Pi Pi or NPM, now malicious code can get uploaded there. That's why registries like Pi Pi from the Python Software Foundation and NPM are now rolling out mandatory multi-factor authentication against those threats.