Several of those are projects that were never hosted at SourceForge, aren't they? Firefox, for example, I don't believe was ever an SF project. WordPress, I don't recall ever seeing on SourceForge. Are they altering the binaries they are posting on their "mirror"?
I download the bitcoin .exe, and it came clean, with the right signatures, but who knows how they are distributing the stuff. I have a Ubuntu computer. If they're at least a bit smart they will use their download redirects to serve the spyware only to Windows computers or something, so that could be why I got a clean binary. Bitcoin devs investigated, at my request. They removed the sf-editor1 user from the project owners and checked the binaries to see if sigs matched, and they did. But like I said, they could be filtering who they serve the "spyware" to.
This is very confusing.