
I dunno if this would work...
But might it be a good idea to have a "known good" or "gold" copy of the download held in a secure non-web-facing store (in a BLOB in a back-end database, or a heavily fire-walled FTP server) and have the web site check that its cached version is the same as the "gold" version on a daily, or hourly basis?
Or, you know, secure their web server so that bad actors can't arbitrarily change the software available on it.