> SmartTube’s developer told me that the computer used to create the APKs for the project’s official GitHub page was compromised by malware. As a result, some official SmartTube releases were unintentionally released with malware.

Seems it's lacking in information about how a malware manages to compromise supposedly signed releases? Do authors not have the production signing keys behind a password or similar, and review 100% of the changes before they deploy stuff?

I swear the more time goes on, the more I'm loosing faith in the entire ecosystem. People running random binaries on the same device they do banking on always surprised me, but now developers manages to get malware on their developer machine and are publishing random binaries to other strangers???