Do we have any hashes of the purported fake versions they pushed before they realised something was wrong? I'm not saying they did, or didn't, but I have auto-updates disabled on my mining rig and haven't updated in a month, and on my PC I use Excavator because it has no fee and I have an nVidia card while my rig is all AMD cards. So I went ahead and checked my PhoenixMiner version and all the hashes checked out. What exactly was the malware version?
Agreed, to add on what you say djeZo already confirmed that they used the legit link and therefor no fake version has been pushed. Although Nicehash has not explained why in the press release they mention different location:
Control shasum from new download locations does not match the value published by the developer on his channel! This brings the possibility that the Phoenix miner's author wants to cover its tracks and disappear or even do something malicious.
It is maybe an error of communication only, but I think this needs to be clarified