Someone compromised Asus's Live Update servers (which are used for software, firmware, and BIOS(!) updates) and slipped in a backdoored version of the client. The trojan was the same size as the legit one, and appeared to be signed by ASUS.
What's especially interesting to me, and something that I haven't seen talked about much in the coverage so far, is that this attack only actually targeted about 600 specific MAC addresses (which were hardcoded into the program). Kaspersky estimates that about 1,000,000 people downloaded the compromised software, but again, it seems like only those 600 were actually targeted. That's pretty significant IMO: it means that a very sophisticated attack was launched with a focus on some very specific computers. It would be possible to trace where those went I'm sure, but I don't expect much disclosure on that part.
As an aside, the degree to which security companies are marketing vulnerabilities and their disclosures of them is kind of obnoxious, even if I understand why they do it.
For more on this issue generally, see this excellent talk on how wildly insecure hardware supply chains are.