Isn't that the old trick: download this “suspicios.zip,” unzip it, and click on “backdoor.exe”? Except that in this case, the backdoor code wasn't hidden in the binary - it was open-source, which is why an AI was able to detect it.
PS I think "smello" is really not a good name for a startup.
PS I think "smello" is really not a good name for a startup.