Supply chain attack can happen. A hacker may not be able to get to the website, but a malicious FTP redirect can cause someone to download a file they think is correct, but was actually downloaded from the wrong site.

This was done with code repositories, a hacker may not be able to duplicate the website, but they may be able to redirect the upload/download to steal code. I think it was the case in the Kaseya (or was it Java, I forget) hack. Malicious actors were able to redirect downloads to push a false update. If someone took the time to look at the webpage, that hash would be different than the code they downloaded. Of course that would take a manual update and not automatic.