A release maintainer account was compromised and malicious code was introduced in a release.
Most distributions didn't pick up the tainted release, a superseding release was issued later.
Source Code - Infrastructure compromise with source code access, no signatures/authenticity.