Or writes a script which checks the user agent and only serves up malware to curl.
Or the second time that an IP address hits it.
Or something else that you haven't thought of.
Update: Such as doing something nasty to http://getcomposer.org/composer.phar instead - a 520KB php file that the first script downloads and runs without even md5ing first. Did you audit that too? Did you understand everything that it was doing?