The word of someone who's not an expert in the subject, who wasn't in the meetings and only heard about them via an unspecified number of intermediates, and doesn't even work there but "advises" the companies? Forgive me, but for the only sourcing of their main claim, that's a bit too weak to clear my standard of evidence.
it's not the "only" sourcing of the main claim, merely an example. (did you read the article?)
> Alarmed by the devices’ sophistication, officials opted to warn a small number of potential targets in briefings that identified Supermicro by name. Executives from 10 companies and one large municipal utility told Bloomberg News that they’d received such warnings. While most executives asked not to be named to discuss sensitive cybersecurity matters, some agreed to go on the record.
> “This was espionage on the board itself,” said Mukul Kumar, who said he received one such warning during an unclassified briefing in 2015 when he was the chief security officer for Altera Corp., a chip designer in San Jose. “There was a chip on the board that was not supposed to be there that was calling home—not to Supermicro but to China.”
