Only a fool would trust an unknown quantity from a suspect source ... and the same goes for installing software from BitTorrent :)
The infected app was a signed app from a known developer, which gets a lower level of scrutiny than a random anonymous app (but higher than one from the Ap Store).
It was a bittorent client called Transmission, which I have on both of my Macs. Fortunately, I was at version 2.84 until I heard about the malware and upgraded to 2.92 this morning (2.90 was the infected version).
Bittorrent is a distribution method; there’s nothing wrong with it in itself. Because it’s decentralized, no one is in control, and it’s definitely a “buyer beware” situation. But it’s also how most Linux distros get distributed.