They would have to push an infected update to all the client-side apps, which is something that would be extremely obvious and would have been immediately announced by Lastpass
Update: another comment mentioned that the SolarWinds hack was a hijacked download, and companies did not catch on until much later. It seems like companies are not monitoring their releases as much as I'd hoped