Zip files are notorious vehicles for injected scripts. Extracting and running a .pkg or application from an unknown web mirror can compromise your macOS security gatekeeper.