Hackers replaced installers on the official JDownloader website with a Windows remote access trojan - third 'trusted software website hijack' in a month

JDownloader's official website was compromised between May 5-7 and the alternative Windows installer plus the Linux shell installer were replaced with malware. The Windows payload is a Python-based remote access trojan; the Linux installer establishes root persistence and pulls additional binaries. Attackers exploited an unpatched flaw in the website's CMS that let them change download links without authentication. macOS downloads, Flatpak/Winget/Snap packages, and the main JDownloader.jar weren't touched. Third 'trusted software site' hijacked in 30 days after CPUID (CPU-Z, HWMonitor) in April and DAEMON Tools last week.

Check

Audit endpoints for JDownloader installations made between May 5 23:55 UTC and May 7. Check Programs and Features for publishers signed by 'Zipline LLC' or 'The Water Team' rather than 'AppWork GmbH'.

Affected

Windows endpoints that downloaded JDownloader through 'Download Alternative Installer' between May 5 23:55 UTC and May 7. Linux endpoints that ran the shell installer in the same window. Acute risk: any host running the malicious installer should be considered fully compromised. Unaffected: macOS users, Flatpak/Winget/Snap installs, in-app updates, and the main JDownloader.jar.

Fix

Reinstall the operating system on any host that ran a malicious JDownloader installer - the developers explicitly recommend this rather than scan-and-clean. Reset every credential entered on the host since installation: browser-stored passwords, SSH keys, cloud tokens. For corporate fleets running JDownloader: switch to Winget or Flatpak distribution channels.