The certificate authority should revoke their signing certificate if their binary is found to contain malware, returning them to the big warning state.