Because they weren't. This is a social-engineering attack to install modified versions of the tools that end up being trojans. The tools themselves were fine, and no malicious code ever made it upstream, at least that we know about (not that upstreaming was attempted in this case).
But why not use a hype headline implying that OSS tools were weaponized.