I don't know a lot about Lavabit's arch.

But my guess is he's referring to replacing the login page's Javascript code with a malicious one that phones back the plaintext password. Kinda like a keylogger.