I wrote several blogs on this issue in my Chinese blog with detail information at blog.creaders.net/chudq. I disarmed the package and the zip file with terminal commands.
Apple support web link for this update does seem any disclosure of the malware issue.
The following is the comparison of the used space difference between before and after:
|Command: df -lak||Used(Kilobytes in 1024-blocks)|