If a website does kotnhave the signature, there is no way you can know that the file on the site to download has not been replaced by hackers.
True. I wonder if we have a website or database where users submit a hash of a file manually as a way to cross-check download files. I know the responsibility should lie with the company to provide that stuff, especially with the possibility of scammers uploading misleading hash. I'm just curious if someone has built a tool like that. Another option is to use malware scanner to check them I guess (other than making sure you visit the right website, double checking on social media, etc).
I don't know this is working since I never tried to use this site as I have no interest to click any random link or even shortened links for security purposes.
But if people want to check if the link they are downloading maybe they should try to use this sites to check if the files they are trying to download is not contaminated by malwares.
www.virustotal.comopentip.kaspersky.com
www.hybrid-analysis.comProper verification is important since its hard to regret late and experience losses due to this malwares.
I don't think that virustotal will work in this kind of attacks though because it will have to go inside the website and maybe it will not be allowed so everything that virustotal will see might be false positive or negative.
But I do agree that certain restrictions should be implemented by this packages websites as now they are prone to this kind of attacks. Even the original developer might not be aware that someone has imitated everything and uses the code to harm people.
So it's a very very risk now to just download anything even if the package sites are the built it trust and reputation already.