Who knows. Didn't it happen with GNU/Linux Mint?
https://blog.linuxmint.com/?p=2994
Don't forget that kernel.org was also compromised. If someone cracks a server
to replace the downloadable programs they could also replace the checksums if
they live in the same place. The attacker already has access to do the first
and, if the checksums live on the same server in the same place, it would not
be hard to take the additional step to change them to match.
So; all that checksums give you is that the file was downloaded without some
accidental corruption; it does not tell you that it's the same file that was
originally uploaded. For that you need something else like the GPG signatures
I mentioned earlier.
