I found a Trojan installed where I least expected it.
It came as part of a LEGITIMATE software. That software has won several awards, including a 5 stars award from CNET.com
None of the antivirus I tried ever found it, but I was tipped off by an anti-spyware report (only after most recent signature update).
After trying various tools, one eventually reported this.
I am currently investigating further the exact installation process, but the source is final.
To stop speculations introduced in some answers, I add a few things in the main post:
-1) The source has already been verified, as I already mentionned above.
-2) This is a known trojan, listed in security databases, together with the author’s alias and a sizeable list of other malwares known to come from the same author.
-3) I am not interested in speculations on what I checked or not, I have enough background to be past that. I am only interested in the legal aspect versus surprise effect (If the author is traceable to that company, but I contact them first (or somebody else does), he/she will have the time and opportunity to clear his/her tracks.)
What should be my next step?
1) Contacting the editor?
OR
2) Contacting the relevant law enforcement agency?