I doubt they will be doing a post-mortem on this, but where would the entry point be? A weak GitHub account without two-factor authentication or something else?
[1] https://twitter.com/tonyciccarone/status/1261100239206957056
2. Malicious Javascript could have been embedded into their CI/CD pipeline and made it onto the site.
3. Somehow stealing SSH keys from a developer and simply logging into the box to change things at the OS level. In fact, it looks like at least one subdomain of theirs is hosted on GoDaddy. SSH keys for some of their customers were recently compromised. Note that I don't think this actually happened, but wanted to list. [b]
4. Smashing Magazine could also improve security by adding the Expect-CT, Feature Policy, and especially a Content Security Policy. Ironically a Smashing Magazine article from 2017 mentions at least having a CSP. [c,d]
5. I recall some speech by the NSA at DEFCON, I think in 2012 or something. One of their speakers said that for all the cool stuff they do...95% of this time it's just password reuse that gets people or phishing for credentials. This would seem to me the most likely way and the best investment of a hackers time.
[a] - https://css-tricks.com/css-keylogger/
[b] - https://www.theregister.co.uk/2020/05/05/godaddy_ssh_login_d...
[c] - https://www.smashingmagazine.com/2017/04/secure-web-app-http...
You've still got to secure e.g. your hosting account, DNS account, Git account, comment system (against injection attacks). Phishing attacks aren't going to go away.
Someone else mentioned that at least one sub domain is hosted by Godaddy, and that seems like a very easy target.