Link to the story (Ars Technicia).
As mentioned in the article, that’s the same process used in the SolarWinds breach. Wikipedia has info about their FTP server having an easy password (“solarwinds123”) in 2019 and employee passwords were stored on GitHub back then, too. Based on what happened next, the FTP password wasn’t changed after it was reported to them as a risk.
NPR has two reports on SolarWinds. The first is shorter and you can either listen to it or read the transcript. The second is 14 minutes long without a transcript. I heard most of it on Friday driving home. The key point is a simple test file was uploaded to see if it could be done and then they disappeared for five months. That gave them time to work on the full attack program and scrub the code of any identifiers like comments.
So a file name like “moserware.secretsplitter.dll” would stand out if anyone was simply scanning through a list of file names and the first thing I thought of was “Does ‘moserware’ or ‘secretsplitter’ have anything to do with Passwordstate?” I don’t know if it does but Click Studios should for their own product.