The internal auto updater of the app directly use github as source, was this also compromised ? If malware was only on some random apkmirror upload then it should probably be fine for most users.

Apparently, yes. My guess is it was the Shai-hulud npm malware leaking their Github keys.

I think this comment relates to the fact that article mentions AFTNews Updater app as a way to install SmartTube... not yet released version of software?