The (presumed) attacker opened a bunch of issues in Matrix' GitHub issue tracker, explaining the security issues leading to this compromise: https://github.com/matrix-org/matrix.org/issues/created_by/m...

TL;DR: A collection of inadvertences and suboptimal practices, some (like having GPG signing keys on production systems) more worrying than others. Something that could probably have happened to most orgs without dedicated security resources.