I wish they were more definitive as to if there was (or was not) any compromise of the source code repository credentials. Eg could the attacker have injected malware into the code as in the Solarwinds incident?
They would have to push an infected update to all the client-side apps, which is something that would be extremely obvious and would have been immediately announced by Lastpass
Update: another comment mentioned that the SolarWinds hack was a hijacked download, and companies did not catch on until much later. It seems like companies are not monitoring their releases as much as I'd hoped