If the installer is very poorly programmed and is, for some reason, opting to execute any code it sees while reading an NCA for installation (note: nothing is this poorly programmed in this decade, or last decade either really) that could be possible, but it would create lots of evidence. But that isn't possible here as there is no distinct executable in the modified NCAs. There's just garbage data that the installer would not know how to execute. The installer would need to be aware of the malicious file system structure, know how to read from it, read from it and execute the code inside. None of that is the case, and all of that would be trivial to recognize, catch and prove.
If you don't know, you don't know. Do not whip up fear regarding stuff you know nothing about. You need actual evidence of a malicious executable in order to raise the alarm.