When a malicious party gains access to Bitwarden’s developer accounts, the party has the potential ability to publish arbitrary code as “updates” on the Bitwarden repositories (Github) or distribution channels (Firefox Addons/Chrome Web Store/…), potentially compromising the entire security of this application for a lot of users. This is why securing developer accounts should be one of the highest priorities of the Bitwarden Team.
A strong password and 2FA are good measures to secure developer accounts. With Git and Github, there is an additional possibility: Signing git commits and/or tags with a GPG key that is kept locally on the developer’s device. This security feature is described here. Signed commits and tags add another layer of security to code publishing, making sure that nobody has taken over Bitwarden’s Github account. With signed tags, we can verify that releases are approved/signed by the Bitwarden Team. People who have doubts about the security of the extension update mechanisms of their browser / worry about potential account compromises could check out the latest signed release from Github and compile the browser extension themselves.
The Bitwarden Team should always sign commits or at the least sign the release tags on Github for increased security.