Mandiant determined the installers were malicious in early June and notified the victim of a potential website compromise, which may have allowed UNC2465 to replace the legitimate downloads.