The exit node in question was in Russia, and Pitts discovered that the node was actively patching any binaries he downloaded with a piece of malware. He downloaded binaries from a variety of sources, including Microsoft.com, and each of them came loaded with malicious code that opens a port to listen for commands and starts sending HTTP requests to a remote server.
From: The Case of the Modified Binaries
Companies and developers need to make the conscious decision to host binaries via SSL/TLS, whether or not the binaries are signed. All people, but especially those in countries hostile to “Internet freedom,” as well as those using Tor anywhere, should be wary of downloading binaries hosted in the clear—and all users should have a way of checking hashes and signatures out of band prior to executing the binary.