Yes, there is a tendency that the official website unknowingly has replaced the package to be downloaded by its users. And so, be vigilant and always verify things. Because it's going to be too late if we find out that we've been a victim already. And we don't want to get into that point. Coming from apps, browser extensions that we use, everything that's executable, check them always.
Most websites does not have PGP signatures that can be used that a file really belongs to the original people that owns the website. I have only noticed just open source wallets that only support bitcoin that have the signatures. If a website does kotnhave the signature, there is no way you can know that the file on the site to download has not been replaced by hackers.