“Apps”, the /e/ app installer, downloads applications from CleanAPK.org, an intermediary which provides apps that originate from F-Droid and elsewhere.

Since apps are not downloaded directly from F-Droid or Google Play, the installer takes certain measures to protect against tampering. Unfortunately, these measures can be bypassed in the majority of cases. This means that CleanAPK.org (or whoever compromises it) can get maliciously modified apps installed on /e/ users’ devices, either when the user is installing a new app or during the update process.

Edit: This website is mentioned in the last release notes of /e/ OS v 0.19-q: https://gitlab.e.foundation/e/os/releases/-/releases