The official website for JDownloader was compromised in a supply chain attack that distributed malicious installers to Windows and Linux users.
According to the developers, the attack affected users who downloaded software between May 6 and May 7, 2026, through the Windows “Download Alternative Installer” links or the Linux shell installer. Attackers reportedly altered download links on the official site, redirecting users to malicious third-party payloads instead of legitimate installers.
The incident was first flagged on Reddit by a user who noticed the downloaded files were being detected by Microsoft Defender. The JDownloader team later confirmed the compromise and temporarily took the website offline while investigating.
In a public incident report, the developers said the attackers exploited an unpatched vulnerability that allowed unauthorized changes to website access control lists and content. They emphasized that the attackers did not gain access to the underlying server infrastructure or operating system, limiting the breach to CMS-managed web content.
The incident affected only specific downloads, including the alternative Windows installer and Linux shell installer links. The developers said that in-app updates, macOS downloads, Flatpak, Winget, Snap packages, and the main JDownloader JAR package remained safe and unmodified.
Users are advised to verify installer legitimacy by checking the Digital Signatures tab in the file properties. Legitimate installers should be signed by “AppWork GmbH.” Unsigned files or files signed by another entity should be treated as suspicious.
Cybersecurity researcher Thomas Klemenc analyzed the malicious Windows payload and found it acted as a loader for an obfuscated Python-based remote access trojan (RAT). According to Klemenc, the malware functions as a modular bot and RAT framework capable of executing Python code received from command-and-control servers, potentially giving attackers remote access to infected systems.