It's a false positive.

Check out the Deterministic Signed Binaries section. All of the binaries for Pepecoin are signed such that, you can build from source, and verify the hashes yourself. The public keys are located here. This was done so that it is cryptographically proven that the binaries were built from source.