It strongly implies that the vendor was thoroughly compromised, in order to insert backdoors into their software (possibly amongst other attacker actions).
Yeah, seems like a buried lede. SolarWinds was owned pretty badly and the attack that lead to that isn't described. Once they had access they have free reign to send malware to any one of their clients masquerading as routine patches. Sounds like they went the extra mile to deliver an extremely subtle exploit to avoid detection.