Hackers breach JDownloader website to serve malware-laced downloads
JDownloader’s website was compromised May 6–7, serving malicious Windows and Linux installers for over a day before a Reddit user’s SmartScreen alert prompted the team to pull the site.
What Matters
- Attackers exploited an unauthenticated ACL-modification bug, granting themselves edit rights without credentials.
- Only the alternative download page was hit; JDownloader.jar, macOS installers, Winget, Flatpak, and Snap packages were untouched.
- Linux shell installer was also swapped with a malicious shell-code variant, not just Windows builds.
- Malware publisher appeared as “Zipline LLC” instead of legitimate signer “AppWork” — the SmartScreen flag that surfaced the breach.
- Some users report the malware fully disabled Windows Defender after execution.
- This mirrors last month’s CPUID breach, where a Zig-compiled CRYPTBASE.dll hijacked CPU-Z via DLL side-loading.
- [HN: @bundie] Three malicious executables were uploaded to VirusTotal by u/rubi2333: hashes 5a6636ce, fb1e3fe4, 04cb9f0b.
- [HN: @Our_Benefactors] Sharp UX critique: JDownloader’s nonsensical defaults may reflect broader neglect of operational hygiene on the project.
