Actually I was waiting for someone to shift the blame for losing account control on the updater since I first released it
The updater is released under lgpl, so anyone is free to run through the code or compile it by themselves for security reasons.
While it would be theoretical possible to install a keylogger by compromising the web server files, this has not happened and is quite unlikely to happen as well.
For the next release the updater files will be digitally signed. While doing this has other reasons it will improve security even more, compromised files wouldn't be able to run at all.