It depends on how you define supply chain attacks.

Recently, there was an exploit discovered in an abandoned Rust package that was used by many other Rust projects, many unaware of it due to the sheer number of dependencies. Whether by negligence or malice, having a known vulnerability that permeates significant portions of the ecosystem is on the order of a supply chain attack.

https://edera.dev/stories/tarmageddon

Worse yet, independent research suggests that the state is arguably much worse: https://00f.net/2025/10/17/state-of-the-rust-ecosystem/

Given projects that make the claim of switching to Rust to access new contributors, it remains to be seen how many of those new contributors are capable of being retained.