Pretty straightforward, honestly: if the signature on a piece of malware can be verified by a corporation's private key, unless that corporation is a remarkably inept bad actor, that corporation and its signing key have been compromised.
Not saying it's how these were picked up, but that's the most obvious way.
I think you’d be surprised how many large companies have such poor control of their signing servers that anyone in the company with a valid login and engineering group membership can generate signatures for arbitrary artifacts.
What would an actual secure workflow for signing artifacts look like?
I'm thinking: Final round of "code review" by security engineer on high-security single-purpose device, build artifact on that device, sign using hardware security module.
I put "code review" in scare quotes because code changes are potentially expensive at this point. For minor issues, turn to your standard workstation and file an issue for next release. For a major security problem, call off the release.
One guy named Jeff and his boss Clem have access to an offline PC with some signing software in a closet behind a badged door. Not TEMPEST secure unless they have govt contracts. For hardware stuff it might be at the factory.
Not saying it's how these were picked up, but that's the most obvious way.