[Is there a summary (that you’re aware of) outlining the Supermicro hacks indicating the infected components and years?]
Not to my knowledge. A lot of this stuff will remain hush-hush because the sources stand to literally lose their livelihoods if their identities are disclosed. This is precisely why the photo shown in the original Bloomberg article was a stock picture of a generic item from Mouser rather than an actual instance of a hardware hack. A photo of the actual thing would have, in effect, doxxed one or several of Bloomberg’s sources. Until someone with the big picture is or the collective sources are allowed to speak to the press, much of this will remain murky.