so, reformatting the device and updating the software/firmware should prevent such a supply chain attack.
I think Ledger's Donjon security team is trying to prove itself rather than a serious security vulnerability.
As far as I understand, this is not entirely true.
The Trezor
article says the following:
Ledger Donjon researchers didn’t extract a private key or PIN from the tested device.
However, they demonstrated a way to bypass the authenticity check, and the firmware hash check in Trezor Safe 3 using advanced tools and a high level of hardware expertise.
……….
Users who purchase from official sources remain fully secure.
That is, only those users who made a purchase from official sources are safe.