Jenkins (and CI in general) can be a very weak point. This was posted on Hacker News a while back https://github.com/samratashok/ContinuousIntrusion
Why should it? For open-source software build-server can even be ran by a third party.
As far as I know, only the binary was updated.
I'd be interested to hear, though, how it got compromised after all.
And even if you sign updates, the key management for doing that is usually centralized, which can be bad: