When you download a KDE neon ISO you get transparently redirected to one of the mirrors that KDE uses. Recently the Polish mirror was marked as unsafe in Google Safebrowsing which is an extremely popular service used by most web browsers and anti-virus software to check if a site is problematic. I expect there was a problem elsewhere on this mirror but it certainly wasn’t KDE neon. KDE sysadmins have tried to contact the mirror and Google.
You can verify any KDE neon installable image by checking the gpg signature against the KDE neon ISO Signing Key. This is the .sig file which is alongside all the .iso files.
gpg2 --recv-key '348C 8651 2066 33FD 983A 8FC4 DEAC EA00 075E 1D76' wget http://files.kde.org/neon/images/neon-useredition/current/neon-useredition-current.iso.sig gpg2 --verify neon-useredition-current.iso.sig gpg: Signature made Thu 19 Jan 2017 11:18:13 GMT using RSA key ID 075E1D76 gpg: Good signature from "KDE neon ISO Signing Key <firstname.lastname@example.org>" [full]
Adding a sensible GUI to do this is future work and fairly tricky to do in a secure way but hopefully soon.by