FWIW, MacUpdate "claims" the nefarious wrapper is not in play for registered MU Desktop users (though I'm not convinced, so I go directly to the developer's site).
If you're not convinced, there is no need to wonder, as you can easily make sure. Currently, MacUpdate’s Installers are recognizable by their name (‘Item X’ Installer), and their file size (1.6MB)
*. It’s of course possible that a download from a developer also contains the word ‘Installer’ in its name and that the file size is 1.6MB, but that particular combination is considerably less likely.
But suppose it
does happen. In that case a file named MacUpdate Installer’ will be present in the downloaded .dmg from MacUpdate, something that's
quite unlikely in a download from a developer. So far, double-clicking those MacUpdate .dmg files is still safe: nothing untoward will happen beyond mounting and opening the disk image. In addition to the install (including that of any additional and potentially unwanted items), the MacUpdate Installers perform the actual download of the software they install, hence their standard and rather small size.
*) You can simply monitor this with your Downloads pulldown (Safari), and stop a download in progress, assuming your internet service isn’t so fast that the download completes before you can react. But even if you let the download complete, you can just delete the disk image.
PS. As of today, the number of MacUpdate Installers is still relatively small. Most downloads are ‘normal’, which makes it still worthwhile to use the MU download button before having to resort to the developer.
