JDownloader CMS served trojanized installer

The popular open-source download manager JDownloader briefly served malicious installers from its own website in early May 2026, after attackers used the project's content management system to swap selected download links to unrelated third-party files. The project's signed installers and in-app updater were not modified.

In a public incident notice, the JDownloader team described the event as a website-content compromise, not a build compromise. Attackers used the jdownloader.org CMS to change selected download links, so users who chose the Windows "Download Alternative Installer" path or the Linux shell installer could end up with unrelated malicious files instead. The vendor said genuine installer packages were not modified, the underlying host filesystem was not reached, and personal data was not accessed. The in-app updater was outside the affected path and continued to verify updates with RSA signatures.

The risk window ran from shortly after midnight UTC on May 6 through May 7, 2026. According to the project's writeup, the team was alerted at 17:06 UTC on May 7, took the site down 18 minutes later, removed the malicious link targets, restored legitimate links, and kept the site offline until further verification was complete.

The most useful evidence for defenders is the substituted artifact set itself. JDownloader published exact byte sizes and SHA-256 hashes for one Linux shell installer substitute and seven Windows executable substitutes. Those hashes identify the malicious files, not JDownloader's clean release packages.

Cause

Website Compromise

Transitive

No

• Website installer incident - May 2026jdownloader.org