Part of building any secure computer environment is to employ the clean source principle. It's really simple, first you confirm the site you are downloading from is bonafide, you then download the vendor's software bundle from the internet into a quarantined area, you then download the vendor's checksum for that software bundle, you generate your own checksum for the software bundle you just downloaded, you compare your checksum with the vendor's checksum, if they match you document this step in your logs and move the software bundle out of quarantine ready for installation.
People tamper with file downloads all the time, people also pretend to be authorities/representatives for other vendors. It's not difficult to circumvent all this, all it requires is an investment of an extra 15 minutes.
This is totally inexcusable.