The official website for JDownloader was recently compromised in a supply chain attack between May 6 and May 7, 2026. Attackers exploited an unpatched vulnerability in the site's content management system (CMS) to redirect "Download Alternative Installer" links for Windows and Linux shell installers to malicious third-party payloads. The developers confirmed the breach and took the site offline after users noticed that installers were being flagged by Microsoft Defender and were signed by suspicious entities like "Zipline LLC."
Technical analysis reveals that the malicious Windows installer deploys a heavily obfuscated Python-based Remote Access Trojan (RAT) that acts as a modular bot framework. On Linux systems, the compromised script downloads ELF binaries, establishes persistence via systemd scripts, and utilizes SUID-root binaries to gain elevated privileges while masquerading as legitimate system processes. Due to the high level of access granted to the malware, researchers advise affected users to perform a full operating system reinstallation and reset all account credentials.
Top comments (0)