The official website of JDownloader was hacked earlier this week in a supply chain attack that exposed Windows and Linux users to malicious installers.
The incident affected people who downloaded the Windows “Alternative Installer” or the Linux shell installer between May 6 and May 7, 2026.
The attackers reportedly altered download links on the official site, replacing legitimate installer files with malicious payloads hosted on third-party servers. JDownloader, which has been around for more than a decade and is widely used for managing downloads from hosting platforms and video websites, confirmed the breach after users started reporting suspicious behavior from the downloaded files.
The issue first came to light when a Reddit user noticed that Microsoft Defender was flagging the installers as malicious. The user also pointed out that the software publisher names appearing during installation were different from the expected developer details linked to AppWork GmbH.
JDownloader developers later confirmed that attackers exploited an unpatched vulnerability in the website’s content management system. According to the incident report, the hackers were able to modify published pages and download links without gaining deeper access to the server infrastructure or operating system.
The developers clarified that only specific download links were compromised. In-app updates, macOS downloads, Flatpak, Winget, Snap packages, and the primary JDownloader JAR package were not affected during the attack.
Cybersecurity researcher Thomas Klemenc analyzed the malicious Windows installer and discovered that it deployed a heavily obfuscated Python-based remote access trojan. The malware reportedly functioned as a modular RAT framework capable of executing Python code received from attacker-controlled command and control servers.
The Linux installer was also found carrying injected malicious code. Analysis showed that the script downloaded additional files disguised as SVG images, extracted ELF binaries, and installed persistent malware components while attempting to hide their activity by mimicking legitimate system processes.
JDownloader advised users to check the digital signatures of downloaded installer files before running them. Legitimate installers should display “AppWork GmbH” under the Digital Signatures tab in Windows file properties. Files without a valid signature or signed by a different publisher should not be trusted.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
The company warned that users who downloaded and executed the affected installers may have exposed their systems and credentials to attackers. Those impacted are being advised to reinstall their operating systems and reset passwords after cleaning infected devices.
