GoKawiilThe website for the popular download manager, JDownloader, has been compromised by attackers who spent over a day serving malicious installers to Windows and Linux users, replacing the legitimate download files with malware.
The JDownloader team first confirmed the hack yesterday and immediately took down the website for a full investigation. The action came after a user on Reddit reported that fresh downloads were being flagged by Windows SmartScreen and listed a suspicious publisher, as one "Zipline LLC", instead of the expected "AppWork" signature. The user's post quickly gained traction and prompted a developer from the team to step in and confirm the breach.
The JDownloader team said that its initial investigation confirmed a limited but serious breach. The attackers specifically modified the alternative download page on May 6. They replaced all the alternative Windows installer links with their own malicious, unsigned executables.
The Linux shell installer was also swapped with a version containing malicious shell code. However, the team was quick to reassure users that the main JDownloader.jar file, macOS installers, and packages from repositories like Winget, Flatpak, and Snap were never compromised. Those packages rely on separate infrastructure secured with checksums, and in-app updates are protected by end-to-end digital signatures.
The attackers were able to gain access thanks to an "unpatched" security bug on the website. This flaw lets them alter the site's Access Control Lists without needing to be authenticated. After giving themselves edit rights, they simply replaced the official download links with their own. Reports from users who ran the infected files are pretty grim, with some stating the malware disabled Windows Defender entirely.
JDownloader is the latest victim of a supply chain-style attack using the popularity of a trusted utility to deliver malware. Just last month, hackers breached the official website for CPUID (the maker of the popular hardware diagnostic tools CPU-Z and HWMonitor) and served a deceptively named file (HWiNFO_Monitor_Setup.exe) that tripped Windows Defender.
For CPU-Z, the hackers bundled a malicious, Zig-compiled file named CRYPTBASE.dll with the otherwise clean CPU-Z application, so that when you run it, the program unknowingly loads the fake, malicious DLL file into its memory space first. After a Reddit user raised the alarm, CPUID quickly took down the website, patched the API vulnerability, and restored the clean download links.
Thanks for the tip, Aryeh Goretsky!