I find it more likely that the certificates were given to them by an employee that also shared the passcode.

Said employee also kept her mouth shut? I don't know, conspiracy theories are not my forte.

Yes, but the point is that in order to use a stolen cert, you need the passcode and the cert. They somehow got three certs and three passcodes from three different companies.

Sometimes companies embed the passcode in the build script to automate the build process. Having to type in the passcode every time to build a release can become a chore.

That's right. However, I think that if I were in a position to steal a certificate, it'd be trivial to also get the pass[code|phrase|whatever], assuming there even was one to begin with. ;-)

Realtek and JMricron were in the same building, maybe the third company is as well?