The official website of the popular JDownloader download manager was compromised earlier this week, leading to a supply chain attack that distributed malicious Windows and Linux installers between May 6 and May 7, 2026. Attackers exploited an unpatched vulnerability in the site's content management system (CMS) to modify download links, redirecting users to malicious payloads instead of legitimate software. While in-app updates and official packages like Flatpak remained safe, the alternative Windows links and Linux shell installers were weaponized.
Technical analysis revealed that the malicious Windows executables deploy a heavily obfuscated Python-based remote access trojan (RAT), capable of executing arbitrary code delivered from command and control (C2) servers. On Linux, the modified installer injected ELF binaries, established persistence via SUID-root binaries, and masqueraded as system processes. Users who executed these installers are advised to perform a full operating system reinstallation and reset all credentials to mitigate the risk of ongoing compromise.
Top comments (0)