ATTACKERS replaced the JDownloader installer downloads with malware during a compromise window on May 6-7, 2026. The Windows “Download Alternative Installer” links and the Linux shell installer were affected, while other options such as macOS, JAR files, Flatpak, Winget, and Snap packages stayed safe.
The malicious Windows installers deployed a Python-based remote access Trojan (RAT), and the breach was confirmed by the developers on May 7, with the website taken offline for investigation and later restored on May 8-9 after patches and hardening. The attack was traced to an unpatched CMS security bug that allowed attackers to modify access control lists without authentication.
Users were advised to verify installers’ digital signatures from “AppWork GmbH” since compromised versions lacked them, and to run a full system scan with a trusted anti-malware solution. Malwarebytes also blocks the domains contacted by the RAT.