SHA 256 Malicious hash on binary package install

when installing the binary package version `promises_1.2.0.1.zip` the package is flagged as malicious due to the SHA 256 hash for the .zip file. the source package did not run into issues with the hash being flagged. What aspect of the binary version would cause the hash to be considered malicious? or would this be something that is checked differently between different security applications? 
