Re: So let's look at this again (again).
His computer was infected as well. Apparently at some point, he disabled the antivirus on his computer so he can install a key-gen for Microsoft Office, then when he turn his AV back on, it rightfully reported that he was infected with several bits of malware and some stuff that looked a lot like malware it hadn't seen before (The NSA exploit code). Since it hadn't seen it, the data was uploaded to Kaspersky's servers for further analysis (So it can be determined if it really is malware and so a definition can be made to detect it in the future and for other users).
So, more of:
Man takes classified spyware home
Disables antivirus because it was preventing him form running virus-riddled code
Run code, machine gets infected
Man turns Antivirus back on, it detects the infection and suspicious code as well
AV attempts to clean the malware it knows about
AV uploads suspicious code it never encountered before for analysis
Really, the only thing Kaspersky is guilty of is trying to protect other users from some unknown bit of malware.