JDownloader installers swapped for Python RAT in May breach
Attackers replaced JDownloader Windows and Linux installers on May 6-7, 2026; the compromised Windows installers contained a Python remote-access trojan, developers confirmed.
Attackers replaced JDownloader installers on the project’s website between May 6 and May 7, 2026. The compromised Windows installers contained a Python-based remote access trojan (RAT). The developers took the site offline on May 7, applied server fixes and restored verified clean installers on May 8 and May 9.
The compromise altered the Windows “Download Alternative Installer” links and the Linux shell installer. Other official distribution methods-including macOS installers, JAR files, Flatpak, Winget and Snap packages-were not affected. The project team reported that users who installed updates through JDownloader’s built-in update mechanism during the two-day window were not impacted.
A remote access trojan allows an attacker to execute commands, control an infected machine, transfer files and capture credentials. Project logs indicate the malicious files were available only during the May 6-7 window before the site was secured.
The intrusion was traced to an unpatched content-management system security bug that permitted modification of access control lists without authentication. That flaw allowed attackers to swap or alter installer links on the distribution server.
As part of recovery, developers applied security patches and hardened server configurations before restoring the download pages. Restored installers were verified; the compromised Windows files lacked digital signatures from AppWork GmbH, the publisher used by the project. The development team advised users who downloaded installers on May 6-7 to confirm the publisher signature and to run a full system scan with a trusted anti-malware tool.
Security monitoring found the RAT contacted several command-and-control domains after execution. One vendor reported blocking domains contacted by the RAT, including parkspringhotel[.]com. Blocking those domains can limit remote control of infected hosts. Users are advised to check for unusual outgoing connections and to follow vendor guidance for detection and removal.
Developers reiterated that other distribution channels were safe and that restored links were verified before being posted. They recommend verifying installer signatures and scanning systems even if no signs of compromise are visible.
