JDownloader supply-chain breach delivers Python RAT through fake installers
From May 6–7, 2026, the official JDownloader site was compromised to redirect Windows and Linux installer downloads to malicious payloads. The Windows dropper is a Python-based RAT; the Linux installer downloads two ELF binaries, sets up persistence, and masquerades as a system process. The attack exploited CMS access but did not give attackers full OS control. Only the alternative Windows installer and Linux shell installer were affected; other downloads remained safe. Users should verify Digital Signatures (AppWork GmbH) to confirm legitimacy, avoid unsigned or differently signed files, and, if infected, reinstall the OS and reset passwords. Researchers provided IOCs for further analysis.