I don't see how their software can be compromised unless they were lying about how are the private keys generated and them being non custodial.
Atomic wallet is closed source. Anything could be hiding in the code, not just from them being actively malicious but also from a rogue employee sneaking something in, a malicious third party sneaking something in, someone compromising their app store account to upload a malicious app, or even just plain incompetence.
I am also reminded of the Copay wallet hack several years ago. Copay had a dependency on a specific JavaScript library which was no longer maintained. A malicious third party obtained control of this library, merged a malicious update, and it was pulled in to Copay updates without anyone realizing.
Just another in the long list of reasons to never use closed source wallets.
On top of that, Atomic wallet is owned is owned by Binance which historically has few questionable behavior.
Are you confusing them with Trust wallet? I didn't think Atomic was also owned by Binance?
For those of you like me that did not remember if you left any funds in there (I had an entire $2 of tron so no big deal) just put your phone in airplane mode or disconnect your internet from you PC and check. And then if needed get your private keys. Don't start with getting the keys and importing do a time / effort analysis.
Copay was open source.
But as I have said countless times. Open source and build verified still does not prevent bad coding. Or as you mentioned a supply chain attack.
It just allows more people to see the bad code and report it and get it fixed.
And also as I have said countless times. Open source don't mean shit if people don't verify the source vs compiled that you are downloading. And lets not forget the HOW SECURE IS THE PROCESS OF UPLOADING THE APP TO THE VARIOUS APP STORES.
Everything else could be perfect, but if you don't secure that system then you are not secure.
-Dave