> signed version of the open-source password manager KeePass [...] KeePass’s actual source code was altered [...] risks of trusted software being hijacked<p>To be clear, as far as I'm able to tell from the report, the actual KeePass is safe and has not been infiltrated/compromised. The malicious version was from malvertising/typosquatting sites, and signed by random compromised certifications - not by the KeePass developer.<p>I guess what they're intending to emphasize is that the malware authors recompiled KeePass to add their malware as opposed to just packaging it alongside KeePass in an installer, but it did initally sound like something far worse had happened.