A compromised Apple developer account login pushing out a compromised Bitwarden mobile app to the Apple App Store that steals everyone's master passphrases.
If the Bitwarden developer account is compromised, one can indeed send an app that steals the passwords. But the devs would (most likely) see that someone else is pushing updates, and that would be the end of Bitwarden, so you can consider it is their job to not let that happen :-).
This is not specific to Bitwarden though, it's the same for all apps. Now because Bitwarden is open source, you can actually compile and install it yourself (if you're confident that the sources you are compiling are the legitimate ones, and not a fork that will steal your passwords ;-)).
Same applies for e.g. Signal Messenger: since it's difficult to check what version of the code is coming from your store, you can always compile it from source and install it yourself.
That's an app store issue, but to follow up bitwarden is opensource, so you could verify the checksums and compile it yourself if you really wanted to be dead sure.
