Re: Malware and developer servers ...
You generally don't get an entire trojan into software by committing it to source control. That'd be ... pretty obvious.
In the CCleaner case they fiddled with the actual toolchain used to build the final EXE. I'd assume either something similar has happened here, or they simply signed and uploaded a trojaned version of the executable.