It's not just Filezilla or sourceforge doing this. Lenovo do this routinely. They used to bundle something called BrowserGuard, which contains a PUP by Conduit. Conduit have since been partially acquired by another company Perion. I followed that rabbit hole last year, Lenovo point blank refuse to acknowledge it is spyware.
And it IS spyware. I created a Perion account to see what they actually had going on. They have an online form you can upload your executable to and it wraps their malware in the form of a toolbar. I tested it by uploading notepad.exe, and sure enough it works quite easily.
They capture your location and a whole bunch of data about your computer. They also have remote update facilities built into it. It's pernicious, and the company structure has been designed to make it very hard to determine who owns it. And Lenovo were very happy to use them.
Oh, and here is an article that confirms the autoupdate:
You should generally not trust preinstalled OSs, regardless of vendor. Most (all?) of them shovel crap in there, often because they get paid to do it. It's sad, but it's just the world we live in.
The really scary thing is when vendors put in backdoors or trojans like this at a level below the OS (in UEFI, for example).
