It seems like nothing is necessarily wrong with the software itself. Its the opsec surrounding the software. The most secure software in the world can be pwned if you can get access to the lead dev's system or the build system itself.