To achieve a compromised update you either need to compromise the update infrastructure AND the key or the infratstructure AND exploit the local updater to accept the invalid or forged signature.
As i said, to compromise a signature checked update over the internet you need to compromise both, the distributing infrastructure AND the key. With just either one its not possible. (Ignoring flaws in the code ofc)
After gaining initial access, the malicious cyber actor deployed malware that scanned the environment for sensitive credentials.
So as I said, the keys got compromised. Thats what i said in the second post.
No you cannot, the pub key either needs to be present on the updater or uses infrastructure that is not owned by you. Usually how most software suppliers are doing it the public key is supplied within the updater.
This is incorrect. If the update you download is compromised then the signature is invalid and the update fails.
To achieve a compromised update you either need to compromise the update infrastructure AND the key or the infratstructure AND exploit the local updater to accept the invalid or forged signature.
Not completely correct. A lot of updaters work with signatures to verify that what was downloaded is signed by the correct key.
With bash curl there is no such check in place.
So strictly speeking it is not the same.
Yes, the secrets to submit to the distribution system got compromised and therefore the system got compromised.