That’s as bad as it can get. Hackers gained access to update server and could sign their malware with ASUS signature key. Two things that should never happen.
Some people on reddit spotted that suspicious update, but could not tell what it was doing. It was signed by ASUS, so most decided it should be fine.