What supply chain attacks is a Ledger Nano vulnerable to which would go undetected?
I am not aware of one.
But i wouldn't exclude it. I am hesitant when it comes to saying "There are no attacks which...".
As far as I am aware, there is no known supply chain attack (not to say one doesn't exist) which would be able to bypass connecting to Ledger Live and updating the device as you would when you first receive it, which would verify the hardware as well as wipe any malicious code.
Inserting an Antenna, as shown in the wallet.fail presentation, would be such an attack:
Source: wallet.fail presentation (2018)This allows to trigger the button press to confirm a transaction via RF.
This requires physical co-location, but is a possible attack vector. Together with a compromised machine which sends a malicious transaction to the nano, an attacker can instantly approve it from at least 20-50 meters away (given the attacker owns a powerful antenna).
Since neither the microcontroller nor the firmware is manipulated, since it only works with setting a specific voltage to trigger the "button press" command, it is undetected when doing the ledger genuine check.
However it is very noticeable when opening the case.
Given that, and coupled with the fact that handing over your personal details is both a significant privacy and security risk as we have recently seen, then if you cannot order a device under fake credentials is it really a higher risk to buy a device from a third party (assuming you are going to follow the setup guide and verification process properly)?
Well, this is a tricky question.
It depends on the threat model, i'd say.
A proper verification (including opening the case) already negates the majority of attacks. So that's a pretty secure way i think.
However a second data leak would be pretty unlikely too, i guess (but probably still more likely).
A hardware vulnerability would mean you lose all of your coins. A data leak could mean 1) only your mail address is leaked or 2) your full address data. Whether this results in a higher risk of losing your coins (e.g. through bulgary) is hard to estimate for me.