Has the Transmission team offered any explanation of how the tainted binary ended up being served by them? My concern is that the attackers were also able to maliciously modify the Transmission source code.
Do you have a citation for this? The extent of what was illicitly accessed remains unclear. Without knowing how their infrastructure is set up, it's not possible to say that the intrusion was limited to just the web server.
Thanks for that, at least it's something. John Clay is listed here[1] as a contributor to "Website maintenance and troubleshooting, Mac OS X help documentation". I wish they would post a similar update on their website and explicitly confirm that the current source and binaries have been audited and are safe.
They've probably addressed it officially by now, but the malware was only included in v2.9.0 downloaded from the web page directly. It wasn't included if the update was performed through the Transmission client. That would seem to suggest it was the web server that was compromised.