Nice rundown in
http://www.bleepingcomputer.com/forums/topic351472.html (this is about Windows but the same seems to happen on Macs, although the actual threat has not been evaluated, I guess):
When a browser runs an applet, the Java Runtime Environment (JRE) stores the downloaded files into its cache folder (C:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache) for quick execution later and better performance. Malicious applets are also stored in the Java cache directory and your anti-virus may detect them and provide alerts. Notification of these files as a threat does not always mean that a machine has been infected; it indicates that a program included the viral class file but this does not mean that it used the malicious functionality. However, when alerted to this type of threat, it's a good practice to clear the Java cache and clean out Windows temporary files.
So, looks like Sophos did its job well.
