Every shared hosting provider has this risk. Critical projects should be using dedicated or VPS hosting, preferably with encrypted filesystems too as even datacenter techs can fall victim to social engineering.

I'm pretty surprised that they got away with unsigned updates and shared hosting as long as they did. I wonder how many similar popular projects are out there on dodgy infrastructure.