Some time ago I bought a USB flash drive online from China. When I plugged it into my PC Windows Defender detected that malware(seems like a crypto miner) was present on the flash drive.
In the image below you can see the contents. It seems like autorun.inf was supposed to run when the USB gets plugged in. However, this feature was disabled in Windows many years ago to protect users from this exact type of attack. So the malware either targets older systems or the attackers simply hope that the user clicks the file.
So I guess you should be careful with any storage device you buy and always format it before using it. The malware shouldn’t be able to come back after that unless the attackers have put some serious effort into modding the USB drives hardware or its memory controllers’ firmware. I would assume that only certain government agencies are capable and willing to do that if they are going after a specific target/goal. So the average user (probably) doesn’t have to worry about it.
As far as who and when they put the malware on the USB is hard to say. It could have happened at almost any point in the supply chain: employee at the factory where the USB is manufactured, the seller(or one of their employees), or any other middle man that buys and resells the drives within Cina before they get to the final seller that sells them online.
Also this isn’t an isolated incident as according to the FBI a similar thing has happened to a company that bought thumb drives that originated from China.