Pyramid of Pain Hash Question

In David Bianco’s Pyramid of Pain, why are hashes considered trivial for an attacker to circumvent?

My question spawns from the idea that hashes are immutable and provide non-repudiation to a hashed software’s creator (assuming they provide their hash to you for comparison to the hash of the file you have). If you downloaded a maliciously modified file and got both hashes, the two hashes would be different and there would be little the attacker could do to make it so that the hash of their modified file was the same as the original.

Am I correct on all of this information? What information am I missing to trivialize hash modification?

Hashes are trivial because you can take a well known piece of malware with a well known hash, make a tiny change to it, and it will have an entirely new hash yet it is functionally the same code.