It’s amazing that Homebrew updated the hash to the compromised version. I can only assume the checksums failed (protecting users from being infected) and someone just decided to update the hash thinking that upstream rerolled a tarball/installer (which happens too often in a lot of projects).
I hope people will treat mismatches seriously and I’m very happy that’s the current state with OpenBSD port MAINTAINERS. There was a situation not long ago where a port submission started mismatching (on a newly submitted port). I pointed that out to the package MAINTAINER and she took the issue upstream (kudos for that!) to the developer, in this case it was just a silent re-roll but could have been a hacked upstream like in the case of HandBrake.
Standard procedure in FreeBSD is to find out why they re-rolled a release tarball and scold them for doing it. If a ports committer blindly updated distinfo (committed without clarity / details of upstream contact) for a port I expect they would be in hot water.
I believe a few years ago FreeBSD helped detect a compromised open source software mirror via a checksum mismatch. I can’t recall what it was, though.
Analysis of the malware: https://objective-see.com/blog/blog_0x1D.html
The author also notes that the detection rate for the infected .dmg file was 0/55 on VirusTotal (2017-05-06 20:12:15 UTC) and 0/56 for the contained OSX/Proton malware.
VirusTotal links: .dmg file malware’s persistent component