JDownloader Website Hit by Supply-Chain Attack, Distributing Malicious Installers
Between May 6 and May 7, 2026, the official JDownloader website suffered a supply-chain attack, leading to the distribution of malware-laced installers to users worldwide. Attackers exploited an unpatched vulnerability in the site’s content management system (CMS) to redirect download links for the "Download Alternative Installer" (Windows) and the Linux shell installer to malicious third-party files.
The breach began on May 5, 2026, when threat actors tested their approach on a low-traffic page at 23:55 UTC before successfully altering download links on the main site at 00:01 UTC on May 6. The attack remained active until 17:06 UTC on May 7, when the JDownloader team was alerted via Reddit and took the compromised server offline for investigation at 17:24 UTC.
The attackers gained access only to the CMS, allowing them to modify web content including download links without compromising the underlying server or host filesystem. Genuine JDownloader installers were unaffected; only the redirected links pointed to malicious files hosted externally.
Security researcher Thomas Klemenc identified the Windows payload as a heavily obfuscated Python-based remote access trojan (RAT) with modular bot capabilities. The malware communicated with two command-and-control (C2) servers: parkspringshotel[.]com/m/Lu6aeloo.php and auraguest[.]lk/m/douV2quu.php. The malicious Windows executables were signed with spoofed certificates under the names "Zipline LLC" and "The Water Team" to appear legitimate.
Analysis of the Linux installer revealed injected code that downloaded additional malware, installed a SUID-root launcher, and disguised the payload as /usr/libexec/upowerd to evade detection. Eight malicious Windows installer variants (61–107 MB) and one compromised Linux shell installer (JDownloader2Setup_unix_nojre.sh, 7,934,496 bytes) were identified, each with distinct SHA256 hashes.
Other installer variants including the JAR package, in-app updates, macOS, Flatpak, Winget, and Snap packages remained unaffected. The JDownloader website was taken offline for remediation and returned on the night of May 8–9, 2026, after security checks confirmed clean installer links. The team noted that in-app updates were secure due to RSA-signed and cryptographically verified updates.
Users who downloaded and executed the compromised installers during the risk window were advised to reinstall their operating systems, as the malware could execute arbitrary code and compromise credentials. Indicators of compromise, including file sizes and SHA256 hashes, were published in JDownloader’s official incident report.
Source: https://gbhackers.com/jdownloader-hack/
BleepingComputer cybersecurity rating report: https://www.rankiteo.com/company/bleepingcomputer
"id": "BLE1778480659",
"linkid": "bleepingcomputer",
"type": "Cyber Attack",
"date": "5/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Users who downloaded '
'compromised installers between '
'2026-05-06 and 2026-05-07',
'industry': 'Technology/Software',
'location': 'Global',
'name': 'JDownloader',
'type': 'Software Distribution Platform'}],
'attack_vector': 'Exploited unpatched CMS vulnerability',
'customer_advisories': 'Published on JDownloader website and official '
'incident report.',
'data_breach': {'file_types_exposed': ['Windows executables',
'Linux shell installer'],
'personally_identifiable_information': 'Potential credential '
'compromise'},
'date_detected': '2026-05-07T17:06:00Z',
'date_publicly_disclosed': '2026-05-07',
'date_resolved': '2026-05-09',
'description': 'Between May 6 and May 7, 2026, the official JDownloader '
'website suffered a supply-chain attack, leading to the '
'distribution of malware-laced installers to users worldwide. '
'Attackers exploited an unpatched vulnerability in the site’s '
'content management system (CMS) to redirect download links '
"for the 'Download Alternative Installer' (Windows) and the "
'Linux shell installer to malicious third-party files.',
'impact': {'brand_reputation_impact': 'Yes',
'downtime': 'Website offline from 2026-05-07T17:24:00Z to '
'2026-05-09',
'identity_theft_risk': 'Yes (credential compromise possible)',
'operational_impact': 'Distribution of malicious installers, '
'potential system compromise for affected '
'users',
'systems_affected': 'User systems executing malicious installers'},
'initial_access_broker': {'reconnaissance_period': '2026-05-05T23:55:00Z '
'(test on low-traffic '
'page)'},
'investigation_status': 'Completed',
'post_incident_analysis': {'corrective_actions': 'Security checks, restored '
'clean installer links, '
'enhanced monitoring',
'root_causes': 'Unpatched CMS vulnerability'},
'recommendations': 'Users advised to reinstall OS if they executed '
'compromised installers; monitor for indicators of '
'compromise.',
'references': [{'source': 'JDownloader Official Incident Report'},
{'source': 'Security Researcher Thomas Klemenc'}],
'response': {'communication_strategy': 'Published official incident report, '
'advised users to reinstall OS if '
'affected',
'containment_measures': 'Took compromised server offline, '
'reverted malicious changes',
'incident_response_plan_activated': 'Yes',
'recovery_measures': 'Website returned online on 2026-05-09',
'remediation_measures': 'Security checks, restored clean '
'installer links'},
'stakeholder_advisories': 'Advised users to check for indicators of '
'compromise and reinstall OS if affected.',
'title': 'JDownloader Website Hit by Supply-Chain Attack, Distributing '
'Malicious Installers',
'type': 'Supply-Chain Attack',
'vulnerability_exploited': 'Unpatched CMS vulnerability'}