when installing an uploaded package file the $_FILES data is passed through a safety filter via JFilterInput::isSafeFile but for short PHP files the check

if ($options['php_tag_in_content'] && strstr($buffer, '<?php'))

BUT if one of the files in the zip file is short e.g.

<?php 
defined('_JEXEC') or die('Restricted access');

then the zip algorithm doesn't compress the content when creating the zip package and leaves the raw file content in the zip file. This means that the uploaded file will incorrectly fail this safety check when there is no reason for it to do so.