Yes it's possible that attackers could release a malicious client-side update but it would be immediately noticed and an alarm would be raised. Also I believe lastpass's client-side apps are open source, making it even more obvious when something is changed