Not an official comment, but from other parts of the hacker news thread it sounds like one of the mirrors the main site redirects to was hacked, not the main site itself. The SHA sums on the main site where apparently unaltered. So it sounds like the only fault on the developers is trusting that mirror.
The current version could be being compromised this minute for all we know.