SourceForge, the software downloads repository once adored by developers, is rife with malware and other malicious software, according to Google diagnostics.
The go-to site for hosting software projects for more than a decade, SourceForge’s huge user base allowed its owner, Geeknet, to generate healthy revenue through display advertising.
But its acquisition in September 2012 by Dice Holdings, owner of career website Dice.com, led to attempts to increase revenue through new methods.
It has since faced fierce criticism for its attempts to monetise the site by tricking users into installing sponsored adware that it bundles alongside legitimate applications.
This has resulted in an emerging exodus from the site, led by popular software projects such as photo editing tool GIMP, video player VLC and source code editor Notepad++, which have migrated to GitHub.
Last month, SourceForge caused more controversy by taking control of projects that had left the site and replacing the download links with more adware.
Now, Google’s diagnostics page for SourceForge has exposed the worrying implications of Dice Holdings’ strategy of exposing users to unwanted adware.
It shows that SourceForge has been distributing a huge amount of malware alongside legitimate applications.
In the past 90 days, Google discovered 588 SourceForge pages with malicious software being installed without user content, compared to 63 pages on GitHub.
The malicious software Google discovered on SourceForge included 5,877 viruses, 4,347 trojans and 1,132 exploits hosted across 93 domains, seven of which appeared to be functioning as intermediaries for distributing malware.
This compares to 446 viruses, 1,067 trojans and 97 exploits across seven domains on GitHub, one of which appeared to be functioning as an intermediary for distributing malware.
As a result of the vicious volume of malware on SourceForge, parts of the site have been listed for suspicious activity 333 times by Google over the past 90 days, compared to just once on GitHub.
As a result of this, a growing army of developers are calling for SourceForge to be shut down.
However, the site’s historic popularity means it still hosts thousands of projects that have been abandoned by their developers but still have users.
Shutting down SourceForge would, therefore, remove access to a vast number of programming languages and file readers that are still hosted on the site.
To preserve this historic code, another group of developers are attempting to protect the data repository of SourceForge against its current ownership.