I had a similar concern that I raised here.
The issue is that code commits are continually published to their public GitHub repo in real time, which includes bug fixes.
But new IC replica binaries are deployed once every couple weeks.
So there’s a lag between code being merged and code being deployed, which could present a window of opportunity for an exploit, which is exactly what happened here…