The popular download manager JDownloader was targeted in a supply chain attack, with the official website compromised to distribute malicious Windows and Linux installers.
Supply Chain Attack
The attack, which occurred between May 6 and May 7, 2026, affected users who downloaded installers from the official website via the Windows 'Download Alternative Installer' links or the Linux shell installer.
According to the JDownloader developers, the attackers modified the website's download links to point to malicious third-party payloads rather than legitimate installers.
Impact
JDownloader is a widely used free download management application that supports automated downloads from file-hosting services, video sites, and premium link generators.
The software has been available for more than a decade and is used by millions worldwide across Windows, Linux, and macOS.
The compromise was first reported on Reddit by a user named 'PrinceOfNightSky', who noticed that downloaded installers were being flagged by Microsoft Defender.
'I been using Jdownloader and switched to a new PC a few weeks ago. Luckily I had the installer in a usb drive but decided to download the latest version,' posted PrinceOfNightSky to Reddit.
The JDownloader developers later confirmed that the site had been compromised and took the website offline to investigate the incident.
Incident Report
In an incident report, the devs said their website was compromised by attackers exploiting an unpatched vulnerability that allowed them to change website access control lists and content without authentication.
'Changes were made through the website's content management system, affecting published pages and links,' reads the incident report.
'The attacker did not gain access to the underlying server stack — in particular no access to the host filesystem or broader operating-system-level control beyond CMS-managed web content.'
Malicious Payloads
The developers stated that the compromise affected only the alternative Windows installer download links and the Linux shell installer link.
In-app updates, macOS downloads, Flatpak, Winget, Snap packages, and the main JDownloader JAR package were not modified.
Cybersecurity researcher Thomas Klemenc analyzed the malicious Windows executables and shared indicators of compromise (IOCs) for the malware.
According to Klemenc, the malware acts as a loader that deploys a heavily obfuscated Python-based RAT.
Klemenc said the Python payload acts as a modular bot and RAT framework, allowing attackers to execute Python code delivered from the command and control (C2) servers.
The researcher also shared two command and control servers used by the malware: https://parkspringshotel[.]com/m/Lu6aeloo.php and https://auraguest[.]lk/m/douV2quu.php
Linux Malware
BleepingComputer's analysis of the modified Linux shell installer found malicious code injected into the script that downloads an archive from 'checkinnhotels[.]com' disguised as an SVG file.
Once downloaded, the script extracts two ELF binaries named 'pkg` and `systemd-exec` and then installs 'systemd-exec' as a SUID-root binary in '/usr/bin/'.
The installer then copied the main payload to '/root/.local/share/.pkg', created a persistence script in '/etc/profile.d/systemd.sh', and launched the malware while masquerading as '/usr/libexec/upowerd`.
The 'pkg' payload is also heavily obfuscated using Pyarmor, so it is unclear what functionality it performs.
Recommendations
JDownloader says users are only at risk if they downloaded and executed the affected installers while the site was compromised.
As arbitrary code could have been executed by the malware on infected devices, those who installed the malicious installers are advised to reinstall their operating systems.
It is also possible that credentials were compromised on devices, so it is strongly advised to reset passwords after cleaning the devices.
Hackers have increasingly targeted the websites of popular software tools this year to distribute malware to unsuspecting users.
- In April, hackers compromised the CPUID website to change download links that served malicious executables for the popular CPU-Z and HWMonitor tools.
- Earlier this month, threat actors compromised the DAEMONTOOLS website to distribute trojanized installers containing a backdoor.
99% of What Mythos Found Is Still Unpatched. AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes.
A wave of new exploits is coming. At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop.
Source: BleepingComputer