SourceForge has begun hijacking popular software from their download lists

SourceForge is a popular website that offers source-code repository, downloads mirrors, bug tracker and other features. It acts as a centralised location for software developers to control and manage free and open-source software development. What you might know it from is its usefulness in providing downloads of popular software, rather than having to go to the developer’s website to get it.

Since yesterday at least, SourceForge has now since started to distribute adware/malware in certain projects hosted on their site.

NMAP, an open-source network tool used extensively by IT Professionals has been hijacked by SourceForge and the developers have hit back on security notice boards:

Hi Folks! You may have already read the recent news about SourceForge.net hijacking the GIMP project account to distribute adware/malware. Previously GIMP used this Sourceforge account to distribute their Windows installer, but they quit after SourceForge started tricking users with fake download buttons which lead to malware rather than GIMP. Then SourceForge took over GIMP’s account and began distributing a trojan installer which tries to trick users into installing various malware and adware before actually installing GIMP. …

Anyway, the bad news is that SourceForge has also hijacked the Nmap account from me.

Despite promises to avoid deceptive advertisements that trick site visitors into downloading unwanted software and malware onto their computers, these malicious ads are appearing on projects that have been taken over by SourceForge’s anonymous editorial staff.

FileZilla was an early participant in DevShare, SourceForge’s revenue sharing plan for open-source developers. It was supposed to be opt-in only. By allowing SourceForge to wrap downloads in a Web installer that offered up to three different software bundles, open-source projects could generate some cash to support development.

But GIMP never enrolled in DevShare—SourceForge foisted the adware on the project’s Windows installer after taking over the project’s page. On Sunday, the GIMP team issued an official statement through Michael Schumacher, a maintainer of the GIMP website. It said that the GIMP team was never informed of what SourceForge was going to do.

“This was done without our knowledge and permission, and we would never have permitted it,” Schumacher wrote. Furthermore, he noted, the move broke a promise SourceForge made in November 2013: “We want to reassure you that we will never bundle offers with any project without the developers consent.”

SourceForge’s search engine ranking for these projects often makes the site the first link provided to people seeking downloads for code on Google and Bing search results.

Some of the software hosted on SourceForge are as follows:  openoffice, audacity, fedora, firefox, gimp, gnu privacy guard, joomla, libre office, multiwii, neverball, nmap, sqlite, simulationcraft, snort, texworks, transmission, vlc media player, wordpress, recaptcha, apache, mame, mysql, thunderbird.

We suggest avoiding SourceForge for the foreseeable!