And a recent article on How To Geek is warning users to steer clear of downloading software from SourceForge:
Avoid using SourceForge to download software. Even if it comes up first in a Google search, skip SourceForge and head to the software project’s official download page. Follow the links to download the program from somewhere else — there’s a good chance the project has moved away from SourceForge and offers clean download links elsewhere.
In our testing, we’ve found that SourceForge’s downloader behaves more nicely in a virtual machine. If you want to see what it actually does, be sure to test it in a real Windows system on a physical machine, not a virtual machine.
This is the same sort of behavior that malicious applications are increasingly using to avoid detection and analysis.
Technology redditors reacted to the How To Geek article and made it clear that they are on to the download tactics of SourceForge:
Zombie042: "... they have really jumped the shark. Packaging malware with open source software and stealing long established accounts to do so. Just hoping Google 'adjusts' their search ranking soon to minimize the impact on less up-to-date IT folks."
Red_turtle_slide: "Just downloaded FileZilla the other day and they link SourceForge as the main source. When I was installing, I noticed so much piggy backed junk that almost got installed. I skipped through those but would there have been anything else they may have slipped in without my knowing?"
Magixxxx: "Yeah. Such cheesy tactics as well. The classic "make it look like they're agreeing to the main product", of course. But it's more advanced than that.
In the screen where you're agreeing to install the main product, you can click on the checkbox that says "I agree" or you can click on the actual text next to the checkbox and it'll still check it. So you get used to doing that. But in the screen that says "I agree to install ASK toolbar" or whatever, clicking on the text doesn't do anything. You have to actually click on the 10x10px checkbox. They're hoping that some people will click on the text and assume that they opted out.
And, of course, all of the extra crap is checked by default and hidden away under "advanced installation". Because of course people who aren't good with computers won't use the advanced installation because it sounds scary. In reality it's just there so you can disable the adware and select what folder you want to install to."
Mugaboo: "In filezilla's case, you're out of luck as the developer is approving it. At that point, there are no binaries you can trust anymore, so the product needs to be abandoned completely."
Staring_at_keyboard: "It seems like this is the new standard internet business model. Create an outstanding product or service and build up a large, trusting, user base. Then, slowly inject ads/malware/junk/etc. into your product, profit, then sell off to facebook when people start catching on."
Did you miss a roundup? Check the Eye On Open home page to get caught up with the latest news about open source and Linux.