I found the same thing. TAC developement team should add images check
<?php include (TEMPLATEPATH . '/images/social.png'); ?>
Such a code is not detected as malicious by TAC. It seems to be an image, but when you open it, it contains in fact a Curl request that imports malicious code into your WordPress installation.
