Attackers replaced JDownloader installer downloads with malware

If you downloaded the JDownloader installer during the compromise window (May 6-7), you are advised to verify the file.

JDownloader is a popular download management application, particularly favored for automated downloads from file-hosting services, video sites, and premium link generators.

The JDownloader website was confirmed to have been compromised on May 6-7, 2026. During that window, the Windows “Download Alternative Installer” links and the Linux shell installer were compromised. Other download options, including macOS, JAR files, Flatpak, Winget, and Snap packages remained safe.

Users that applied updates during that period were not affected. The malicious Windows installers deployed a Python-based remote access Trojan (RAT).

The developers confirmed the breach on May 7, immediately taking the website offline for investigation. After security patches were applied and server configurations hardened, the website was restored on May 8-9 with verified clean installer links. The attack vector was identified as an unpatched CMS security bug that allowed attackers to modify access control lists without authentication.

Attackers replaced JDownloader installer downloads with malware

Other newsrooms on this story

Related reading

GitHub Worm Hits npm Packages With 16M Downloads

Widely used Daemon Tools disk app backdoored in monthlong supply-chain attack

Four Malicious npm Packages Deliver Infostealers and Phantom Bot DDoS Malware

Checkmarx tackles another TeamPCP intrusion as Jenkins plugin sabotaged

Malware crew TeamPCP open-sources its Shai-Hulud worm on GitHub

Hackers have compromised dozens of popular open source packages in an ongoing…