It's not clear from the article or Google's response what caused the dependency to be downloaded, however one thing that Google does mention is that they don't believe it has to do with their products or services. Since the purpose of their bug bounty program is to help Google secure their products, it would fall outside it's scope as the fix doesn't sit with product teams. I would imagine though this is something that would be raised with corporate security, that deals with protection of endpoint devices and security awareness training.
