An advisory at the site said anyone who had downloaded Handbrake for the Mac between 2 May and 6 May should immediately verify the SHA1/256 hash of the file before using it.
It said the trojan in question was a version of OSX.Proton that could allow theft of data from infected devices and also permit attackers to connect to infected hosts via VNC or SSH.
Mac users could check the OSX Activity Monitor to see if they were infected, the site advisory said.
"For reference, if you've installed a HandBrake.dmg with the following checksums, you will also be infected: SHA1: 0935a43ca90c6c419a49e4f8f1d75e68cd70b274 or SHA256: 013623e5e50449bbdf6943549d8224a122aa6c42bd3300a1bd2b743b01ae6793."
The trojan could be removed from within a terminal, the advisory said.
"Open up the 'Terminal' application and run the following commands:
"launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist
"rm -rf ~/Library/RenderFiles/activity_agent.app
"if ~/Library/VideoFrameworks/ contains proton.zip, remove the folder
"Then remove any 'HandBrake.app' installs you may have."
Additionally, those who had been infected were asked to change all the passwords that may reside in the OSX KeyChain or any browser password stores.
"The HandBrake team is independent of the Tranmission developers. The projects share history in the sense that the same author created these apps but he is not part of the current HandBrake team of developers," the advisory said.
"We do not share our virtual machines with the Transmission project."