💻 AppSec

JDownloader Official Download Site Hijacked to Serve Python RAT in Supply Chain Attack

The official JDownloader download site was compromised during a window of approximately 18 hours between 6 and 7 May 2026, with legitimate installer downloads replaced by a trojanised package delivering a Python-based remote access trojan. JDownloader is a popular open-source download manager with millions of users. Users who installed JDownloader during the compromise window should treat their system as compromised and perform immediate credential rotation and system remediation.

3 min read
#supply-chain#jdownloader#malware#python-rat#download-hijacking#installer-compromise#credential-theft

The official JDownloader project website — the primary distribution channel for the widely used open-source download manager software — was compromised between approximately 18:00 UTC on 6 May 2026 and 11:00 UTC on 7 May 2026. During this window, download links on jdownloader.org were replaced with trojanised installer packages delivering a Python-based remote access trojan.

The JDownloader project confirmed the compromise and has restored legitimate installers. Users who downloaded and installed JDownloader from the official site during the approximately 17-hour compromise window should assume their system is compromised.

Malware Details

The trojanised installers were crafted to install functional JDownloader software alongside the embedded malware payload — maintaining the cover of a legitimate software installation to delay detection.

Windows payload: The Windows installer delivered a Python-based RAT using a signed executable wrapper. The signing certificate was issued to “Zipline LLC” and “The Water Team” — companies with no apparent legitimate connection to the JDownloader project. The certificate was revoked by the issuing CA following disclosure but was valid during the compromise window. The Python RAT established persistence via a Windows Registry run key and communicated with attacker-controlled C2 infrastructure over HTTPS.

Linux payload: The Linux installer included a shell script that downloaded and executed a secondary Python payload from attacker infrastructure as part of the installation process.

RAT Capabilities: The installed payload is a Python-based RAT with capabilities including:

  • System reconnaissance (OS version, installed software, running processes)
  • Credential harvesting from browser stored credentials (Chrome, Firefox, Edge, Brave)
  • Clipboard monitoring
  • File exfiltration on demand
  • Persistent command execution from C2
  • Screenshot capture

Incident Timeline and Scope

JDownloader reports that the attack compromised the web hosting account for jdownloader.org, allowing the attacker to replace the download links in the site’s HTML. The project’s source code repositories, signed official releases, and Maven Central packages were not affected — the attack targeted only the download links served by the website.

JDownloader has over 10 million registered users and is consistently one of the most downloaded open-source download utilities. Estimating exposure during the 17-hour window is difficult — download volume varies significantly by time of day, and the project has not published an estimate of affected users.

Remediation for Affected Users

If you installed JDownloader from jdownloader.org between 6 May 2026 at approximately 18:00 UTC and 7 May 2026 at approximately 11:00 UTC:

  1. Isolate the machine: Disconnect from the network before beginning remediation
  2. Revoke and rotate credentials: Change passwords for all accounts you have logged into from the affected machine, prioritising email, banking, corporate SSO, and cryptocurrency wallets. Assume all browser-stored credentials have been harvested
  3. Check browser saved passwords: Review for any accounts that show unexpected recent activity
  4. Remove the malware: Antivirus products are being updated to detect the Python RAT signatures — run a full scan with an updated engine. Also check %APPDATA%\ and %LOCALAPPDATA%\ for unexpected Python directories
  5. Reinstall JDownloader: Download JDownloader from the verified JDownloader mirror at mirror.jdownloader.org (the project’s separate CDN which was not compromised) and verify the SHA256 hash of the installer matches the hash published on the project’s GitHub releases page

For enterprise environments: If JDownloader was installed on any corporate-connected machine during this window, escalate to your incident response team. Browser credential exfiltration from a corporate machine could expose corporate SSO credentials, VPN tokens, and internal application access.

Share this article