“ShadowPad is an example of how dangerous and wide-scale a successful supply-chain attack can be," one researcher said.