most important apps are signed by fdroid, not by the app devs (for the most part at least; fdroid offers a method to build the app in a way that permit devs to sign themself, but pratically noone uses it cause require much work).

So if someone compromise fdroid, he can put arbitrary malware in the update of all your fdroid apps.