Sourceforge repackaging free software projects with malware/adware


If you dont know already. Sourceforge is a software hosting site that hosted the projects of many open source / free software projects. Recently they have been caught taking over apparently abandoned project pages and repackaging those projects downloads with installers that try to trick you into installing additional malware/adware.

This came up a few days ago when a maintainer of the Windows version of GIMP found that there downloads listed on source forge and their accounts had been taken over with no notice and re-bundled into installers with malicious addon software.

Nmap (a network discovery tool) has also found out that sourceforge have similarly taken over their sorceforge account and downloads

SF's reasoning apparently is that they are abandoned projects and they "mirror" them to keep them up. But there is not reasoning behind re-bundling the downloads with adware, and all it does is serve to damage the original projects reputations, the end users computers, and line sourceforges pockets. The mirrors they host them on dont even belong to source forge and in most cases is actually donated space, so in reality the sole reason comes down to trying to take advantage of projects who may not notice legacy accounts being taken over for revenue generation.

there are quite a number of accounts that were taken over, among them

Most of the Apache Foundation's projects—including Allura, Derby, Directory Studio, the Apache HTTP server, Hadoop, OpenOffice, Solr, and Subversion;
The Mozilla Project's Firefox, Thunderbird, and FireFTP;
The Evolution and Open-Xchange mail clients;
The Drupal and WordPress content management systems;
The Eclipse, Aptana, Komodo, MonoDevelop, and NetBeans integrated development environments;
The VLC, Audacious,, Helix, and Tomahawk media players;
The Reaver WPS Wi-Fi hacking tool; and a host of games, utilities, and other applications.

I've always felt sourceforge was slowly going downhill, this to me just proves it, technically they have dont nothing wring with repackaging the programs, as they are free software and anyone is allowed to do that, but the shady practice of taking over accounts, and putting what is effectively malware/adware into them is despicable and harmful. Make sure if your downloading software, you get it from the source. not sourceforge.

I found out about the "SourceForge download manager" or whatever a few years ago, when it started appearing for large software downloads, but I assumed it was a way for the OSS projects to generate a little extra revenue, maybe they asked SourceForge to do it and pay them or something. I had no idea SourceForge was just putting it on there without asking.

GitHub has always seemed better to me anyway. :P

1 Like

If you read what happened to VLC, you notice some pretty dodgy stuff sourceforge seemed to be up to

[source: ars link in op]

Ludovic Fauvet, founder and CTO of Videolabs SAS. Developer of VLC media player, said in a blog post yesterday that SourceForge similarly took over the VLC project's account on SourceForge. VLC was, in 2012, the most downloaded project on SourceForge, and still remains among its top projects even though the project moved to its own download infrastructure two years ago. That happened, because as Fauvet wrote, "in 2012 Geeknet started to add more banners to their pages and did not bother filtering ads that were obvious scam, misleading users to click on these fake “downloads” buttons. Some if not all of these advertisers were distributing VLC bundled with crapware (as we like to call them)." The VLC team complained to SourceForge, and were assured by the SourceForge team that something would be done about it.

But the misleading ads kept coming back. "In consequence they also offered to share some revenues with us," Fauvet wrote. "They gave few thousands dollars every couple of month to the non-profit (which was welcome since we’re all volunteers) but we were still unhappy because a lot of VLC users were still impacted by these misleading ads." And after Dice acquired Slashdot Media in September of 2012, Fauvet said, the contacts at SourceForge that the VLC team had been working with disappeared, "leaving us without any way to reach the new team for quite some time." The misleading ads got worse, so in April 2013 the VLC team started to move the project to its own dedicated servers for download, ending user complaints about the ads—but also eliminating a major source of revenue for SourceForge, as "they lost their biggest project which was making a significant portion of their revenues since VLC was the most downloaded software on SourceForge at the time."

SourceForge attempted to lure VLC back with its "DevShare" revenue sharing program, Fauvet said, in July of 2013. At the same time, VLC's new servers were targeted by a large distributed denial of service attack. "We still don't know who was behind the attack and their motivations but the coincidence is striking," Fauvet wrote.

When news emerged that GIMP had been taken over as a mirror, Fauvet noted, "We were quite surprised to discover that the same happened to VLC, the project has been taken over without notice, removing all access to it but luckily the binaries weren’t touched."