JDownloader Website Compromised to Distribute Malware to Users

Severity: High (Score: 70.5)

Sources: jdownloader.org, News.Ycombinator, Bleepingcomputer

Summary

The JDownloader website was hacked between May 6 and May 7, 2026, to serve malicious installers for Windows and Linux users. Attackers replaced legitimate download links with malicious payloads, specifically targeting the 'Download Alternative Installer' and Linux shell installer links. Users who downloaded these installers may have inadvertently installed a Python-based remote access trojan. The JDownloader team confirmed the breach after users reported issues, including malware being flagged by security software. The website was taken offline for investigation, and the malicious links were removed. The main JDownloader JAR file and other installation methods remained unaffected. The developers provided guidance for users to verify legitimate installers and shared hashes for the malicious files. The website was restored on May 9, 2026, after ensuring the integrity of the download links. Key Points: • JDownloader website hacked to serve malware via compromised download links. • Users who downloaded installers between May 6-7, 2026, are at risk of infection. • Main application files were not affected; only specific download links were compromised.

Key Entities

• Malware (attack_type)
• Supply Chain Attack (attack_type)
• AppWork GmbH (company)
• Cpuid (company)
• Daemontools (company)
• JDownloader (company)
• Zipline LLC (company)
• jdownloader.org (domain)
• T1027 - Obfuscated Files Or Information (mitre_attack)
• T1036 - Masquerading (mitre_attack)
• T1055 - Process Injection (mitre_attack)
• T1059.006 - Python (mitre_attack)
• T1071 - Application Layer Protocol (mitre_attack)
• Flatpak (platform)
• Linux (platform)
• MacOS (platform)
• Windows (platform)
• Winget (platform)
• PyArmor (tool)