When F5 disclosed the theft of BIG-IP source code and internal vulnerability data, it wasn’t just another headline—it was a crystal-clear view into Beijing’s playbook. This isn’t smash-and-grab. It’s pre-positioning: shape the update pipeline today so tomorrow’s patch can be the perfect backdoor.

If SolarWinds proved the scale of supply-chain compromise, China refined the tactic—quiet, persistent, “living off the land,” and aimed at the places where identity and traffic converge.

The Pattern: From NetSarang to F5

• ShadowPad / NetSarang (2017): a signed, trusted update hid a modular backdoor—ground zero for the modern PRC-linked supply-chain implant.

• CCleaner (2017): millions pulled a backdoored installer; the update channel itself became the attack surface.

• ASUS / ShadowHammer (2018–2019): vendor certificate + targeted payloads delivered via ASUS Live Update—the signature as camouflage.

• APT10 / “Cloud Hopper” (2016–2018+): compromise the MSP to reach thousands of customers downstream.