[hulitu]

> the hackers instruct the individuals to install the apps, which infect the employees' work environments

But why not use a hype headline implying that OSS tools were weaponized.

[LoganDark]

Because they weren't. This is a social-engineering attack to install modified versions of the tools that end up being trojans. The tools themselves were fine, and no malicious code ever made it upstream, at least that we know about (not that upstreaming was attempted in this case).