The official website of JDownloader was compromised this week, and attackers used it to distribute malware through fake Windows and Linux installers.
The issue was confirmed by a developer from the project on Reddit after users started reporting suspicious files and unusual publisher names attached to the downloads.
According to the developer, attackers modified JDownloader’s alternative download page early on May 6. Legitimate installers for Windows and Linux were replaced with malicious files. Anyone who downloaded the software from the affected page between May 6 and May 8 may be at risk.
Users noticed strange publisher names on the infected Windows installers, including “Zipline LLC,” “The Water Team,” and “Peace Team.” The malicious installers also lacked proper digital signatures.
Fortunately, Windows security tools such as SmartScreen and Defender were able to detect and block the modified files automatically. Users would have needed to manually bypass the warnings to install the malware.
The Linux shell installer was also compromised. According to the developers, attackers replaced the original installer with a file containing harmful shell code.
The development team said the attackers exploited an unpatched vulnerability that allowed them to modify access permissions without authentication. Server logs reportedly showed the attackers first testing the exploit on a dummy page before targeting the live download section.
Not all downloads were affected by the breach. The developers confirmed that macOS installers remained safe and still carried valid digital signatures. The core JDownloader.jar file was also untouched.
Third-party packages distributed through Flatpak, Winget, and Snap were also checked and found safe because they use a separate hosting infrastructure.
Existing installations of JDownloader are reportedly safe as well. The application’s internal update system runs on separate servers and uses end-to-end digital signatures for protection.
The JDownloader team has temporarily locked parts of the website in read-only mode while they investigate the incident and patch the vulnerability. Clean files have already been restored from backups.
