I use Little Snitch on my Macbook Pro (10.10.5) to check on unauthorized outbound connections any program tries to make. A couple of times I found that the download of Twine 2.1.3 was contacting what looked like a very strange server:
Twine
wants to connect to wrcvqkrmwryiiv on TCP port 80 (http)
IP Address 92.242.140.2
Reverse DNS Name unallocated.barefruit.co.uk
Established by /Applications/Twine.app/Contents/MacOS/nwjs
Process ID 33585
User edo (UID: 503)
The format of the message allows you click on the name of the server (wrcvqkrmwryiiv) and it brings up a very long list of nonsense names like the one listed in the message that are also located at that same IP address.
One of the times there was also a message saying that I didn't have the latest version of the program, though I was using 2.1.3 which I believe is the latest barring the new beta that just came out. The version I am using lists a creation date of May 1, 2017, and it was dowloaded on June 10, 2017. I am not sure if the malware that was on the website affected the installers (there is no mention of this being the case), or if there was a minor update to the installer since May 1 that didn't necessitate a new version number.
The apparent domain it connects to, barefruit.co.uk, is some sort of advertising site. On the site it says: Barefruit generates highly targeted traffic for ISPs by replacing DNS and HTTP errors with relevant advertising. Since advertising and Twine don't seem to go together, this looks strange.
Chris or anyone else who has seen this please weigh in. I know this may be benign and just look odd, but it does look odd.
edo