That's how language shifts. Supply chain attacks are broadly seen as a scary new thing, so like with any such term, people try to shoehorn things they find into its meaning. Those who fall for and repeat it shift the language. The same happened to the word 0day: it used to mean "a vulnerability that you specifically haven't had a chance to patch because it has been known to the world for 0 days". A scary thing. Now it's commonly used as synonym for the word vulnerability
I wonder if every vulnerability is soon called a supply chain attack:
- Microsoft releases a Windows security update -> Discord uses Windows -> supply chain attack on Discord
- User didn't install security updates for a while -> brought their phone to work -> phone with microphone sits in pocket in meeting room -> supply chain attack
Everything has dependencies that can be vulnerable, that doesn't mean "the supply chain" was attacked in a targeted effort by some attacker
