For SUSE the whole repository is integrity protected by GPG signatures
from top down.
So at most you can replay old repository states, but never smuggle in bad
Also we use a central download redirector, which serves the meta data
directly, but for the RPMs refers to the mirrors. So you get the latest
If you overtake its DNS record or be the man in the middle you can due to
checking only replay old states.
So yes, their mirror was contacted, but the downloads were checked
afterwards and would have been discarded if bad.
Also old repository states will not get old packages to be installed,
since the conditions >= version still apply.
So they were able to get a mirror on the mirrorlist, but malicious
attacks would not be possible.