Numerous orgs hacked after installing weaponized open source apps
arstechnica.com> the hackers instruct the individuals to install the apps, which infect the employees' work environments
But why not use a hype headline implying that OSS tools were weaponized.
Because they weren't. This is a social-engineering attack to install modified versions of the tools that end up being trojans. The tools themselves were fine, and no malicious code ever made it upstream, at least that we know about (not that upstreaming was attempted in this case).