This recently happened with the "StealthBit" bitcoin Mac App. The precompiled version on the Github Release page contained additional malicious code not present in the repo:
It looks like this is just a local web app(?). The only binary I see used is ffmpegsumo.
Given, that can't you just download the repo locally, replace ffmpegsumo with a trusted version from elsewhere, and at least know you aren't running a version that differs from what is on the repo?
They are using node-webkit which means any javascript has unrestricted access to the nodejs api http://nodejs.org/api/. It wouldn't be hard to do something malicious with those low level filesystem, network and process modules.
http://www.macrumors.com/2014/02/10/bitcoin-stealing-trojan/