- Attackers exploited a CMS flaw to replace Windows and Linux installer links with malware‑laden versions between May 6–7, 2026
- The poisoned installers deployed a Python‑based RAT via a loader, while other distribution channels (macOS, JAR, Snap, etc.) remained safe
- AppWork advises verifying digital signatures (“AppWork GmbH”) to avoid tampered builds; the site has since been secured
Popular download manager JDownloader recently had its website hacked and hijacked to deploy malware to Windows and Linux users.
As explained by owner AppWork, unidentified attackers found a vulnerability in the website’s content management system (CMS), and used it to swap out the download links for a pair of variants:
“Changes were made through the website’s content management system, affecting published pages and links,” AppWork said in its incident report. “The attacker did not gain access to the underlying server stack — in particular no access to the host filesystem or broader operating-system-level control beyond CMS-managed web content.”
Checking the digital signature
Anyone who clicked on the alternative Windows installer download links, or the Linux shell installer link, between May 6 and May 7, 2026, was redirected to a third-party server hosting a malicious version of the software. This version was poisoned to include a loader that deployed a heavily obfuscated Python-built Remote Access Trojan (RAT).
Other downloads, including in-app updates, macOS downloads, Flatpak, Winget, Snap packages, and the main JDownloader JAR package were not tampered, AppWork confirmed.
It also said the best way to make sure you’re using the right installer is to double-check its digital signature. That can be done by right-clicking on the executable, navigating to Properties, and then the Digital Signatures tab. The program needs to show it was signed by “AppWork GmbH”, otherwise it’s definitely malware.
On Reddit, users who downloaded the tainted versions saw the developer being listed as ‘Zipline LLC,’ and ‘The Water Team’. Luckily enough, Windows Defender flagged the program as malicious, protecting the users.
The website was temporarily turned off, allowing the company to plug the hole and clean up the links.
Via BleepingComputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.