JDownloader website compromised to distribute malicious installers

The website for the popular JDownloader download manager was compromised last week, leading to the distribution of malicious Windows and Linux installers. The attackers exploited an unpatched vulnerability in the website's content management system to alter download links, affecting users who downloaded installers between May 6 and May 7, 2026. The compromise did not affect in-app updates, macOS downloads, or other package formats, with further coverage provided by Bleeping Computer.

The supply chain attack involved attackers modifying the website's download links to point to malicious third-party payloads. For Windows, the payload deployed a Python-based remote access trojan (RAT), while the Linux installer injected malicious code to download and install obfuscated binaries, establishing persistence and masquerading as a legitimate system process. Cybersecurity researchers identified the RAT as a modular bot and RAT framework capable of executing arbitrary Python code delivered from command and control servers.

JDownloader developers confirmed the breach, stating that attackers exploited an unpatched vulnerability allowing them to change website access control lists and content without authentication. Users can verify legitimate installers by checking the digital signature for "AppWork GmbH." Those who downloaded and executed the affected installers are advised to reinstall their operating systems and reset passwords due to potential credential compromise and arbitrary code execution. This incident follows similar supply chain attacks targeting software download sites like CPUID and DAEMONTOOLS.

Source: Bleeping Computer