Anyone who has access to a server either authorized or unauthorized could have done it.

They have a way of identifying when users installed it, and also when they actually used it.