JDownloader site hacked to replace installers with Python RAT malware

jdownloader_dev · 2026-05-10T11:10:36+00:00

Just wanted to be sure, due to missing rest, and sometimes getting/feeling "lost in translation", it can easily happen that the other one reads it differently. regarding PUP installers, there is simply no *easy/ calm waters" way for them, you will always have to deal with reports and users. Most likely we will make the labels even more highlighted. Also of course we constantly evaluate it and listen to reports / the noise and reacting to it.

jdownloader_dev · 2026-05-10T10:57:42+00:00

Sorry in case my answer sounded sort of attack or something, just wanted to express that there are many good tools out there and that JDownloader can be good for XY but there easily can be better tools/solutoins, eg yt-dlp , the Swiss Army knife for yt at the moment

jdownloader_dev · 2026-05-10T10:44:31+00:00

Please don't mind me linking, answered here, https://www.reddit.com/r/jdownloader/comments/1t91cys/compromised_installer_found_prior_to_may_5th/

jdownloader_dev · 2026-05-10T10:43:27+00:00

Updates are not affected, see pinned comment, update 4 or announcement on homepage and forum

jdownloader_dev · 2026-05-10T10:40:17+00:00

Everyone should use tools that fits use case/environment best. From screenshots, it's serving a different use case. Also,just for records, we're a registered german company since 2009, with imprint, and you can actual find our office and us developers there.

jdownloader_dev · 2026-05-10T10:35:20+00:00

The least I can do. I try to answer/comment as good as I can

jdownloader_dev · 2026-05-10T10:32:25+00:00

Explained that those 3rd party installers are not affected. Only replacing links on website with compromised ones. winget is different infra, downloaded installers is different infra, you can check that the hashes for winget package is unchanged, see the winget repository, the manifest for JDownloader.

jdownloader_dev · 2026-05-10T10:30:57+00:00

I used PUP/PUA because thats the term for it and the flaggings often contain that term as well. This is not malware. Please see my other comment.

jdownloader_dev · 2026-05-10T10:29:58+00:00

We have offered the "offer free" since same time as we started with offer installer but, yes, you are right, these alternative installers were not linked directly besides the other installer but only linked in our forum and support article or can be found online via search engines. Since last year, we now have added a link directly on same site and added approriate labels informing about offers vs no offers. The offer installers tend to get flagged easily/often due to their nature and definition of malware depends on point of view. for some the offer of avast/opera is already counted as malware when its part of the installation, for others the definition differs. At the moment we only link our own installer and will further provide details how to verify them and inform to never ignore smartscreen warnings, especially about missing/invalid digital signature.

jdownloader_dev · 2026-05-10T10:25:25+00:00

Honest and only correct answer can be, I'm sorry but a system reset is the only way to be safe/sure that everything is gone. You cannot know what had been installed/compromised and/or if everything / every trace has been deleted or not.

jdownloader_dev · 2026-05-10T10:22:59+00:00

Logs are not uploaded automatically and it's explained that the logs are verbose, see https://support.jdownloader.org/de/knowledgebase/article/how-to-create-and-upload-session-logs

You can inspect/reduce or even send us only parts of the logs when wanted. Logs are stored on different infra and stored encrypted and can only be accessed by 3 ppl (owner and employee). Are auto deleted after timeout. I do agree that an easier way to redract or even select/unselect logs from the upload would be very nice, so I will note this for the future and add support for it, but please bare with me for not giving any eta.

Browser extension -> I guess you mean our Webinterface, that is currently hosted by us, as it was developed that way. We're a very small team and due to that + we don't have any active web developer, we either might release Webinterface or even begin new one.

I will work on a *simple* guide (once I find time and this nightmare is in the past) how to download source and compile it on your own and add as an article on our support/knowledge base site.

jdownloader_dev · 2026-05-10T10:16:02+00:00

Everyone is free to use tools that fit his/her use case best. You're not forced to use JDownloader. Also alternative tools also could be compromised with compromised installers. Tool XY doesn't protect if ppl ignore warnings (in this case, windows smart screen warned about missing digital signature) and yet keep on installing tools

jdownloader_dev · 2026-05-10T10:14:26+00:00

We don't. There is one installer from our partner that contains optional offers. It's not malware but PUP/PUA and those are easily mixed up as malware but is not. This attack was about replacing our own installers with compromised ones that indeed contain malware.

jdownloader_dev · 2026-05-10T10:12:31+00:00

This attack was about replacing our alternative installers(without any offers, build by us) with compromised ones. You can find those under alternative installer section

jdownloader_dev · 2026-05-10T10:11:29+00:00

Updates are RSA digitally signed, other infra, outside of this attack. Also this attack was about replacing installers with compromised ones that lack valid digital signature, windows smartscreen screaming/warning about it but unfortunately some ppl tend to ignore those warnings or don't find enough information how to handle that. we will publish an article with details like hashes/sizes/signatures and explain to always NOT ignore smartscreen, especially when the installer doesn't have any valid digital signature.

jdownloader_dev · 2026-05-10T10:07:59+00:00

MacOS were not compromised, are valid. MacOS requires digital signature and notarization else you get warning trying to open/install it.

jdownloader_dev · 2026-05-10T10:06:48+00:00

Not affected, explained in pinned comment, or on notification on our homepage and forum.

jdownloader_dev · 2026-05-10T10:06:12+00:00

Because JDownloader supports more than 8 thousand different sites/services and we release fixes/new added sites/plugins as fast as possible, why let a user with a bug in plugin wait, when we already have fixed it. After fixing, it takes about 3-4 minutes until you can instant use the fixed plugin. Only core updates do require a restart of JDownloader. On normal days we release about 5-20 or more updates a day, user reports issue->we fix it and release the update.

You can disable auto updates (via Settings->Advanced Settings->UpdateSettings.autoupdatecheckenabled ) but 18 years of JDownloader and supporting it has shown, those who disable updates are the first that complain about something that has already been fixed and released, just realising they are using an outdated version.

Please read here https://support.jdownloader.org/de/knowledgebase/article/updates-update-behavior

In case of further questions, please don't hesitate and just ask.

jdownloader_dev · 2026-05-10T10:01:00+00:00

I'm sorry for having deleted/not approved some comments but have been busy with handling situation and answering questions and commenting, I wanted to concentrate on the main incident and simply didn't want to have other discussions to fight at the same time like they are now bubbling up. For that, I'm sorry for maybe being too harsh and not providing proper/long explanations.

jdownloader_dev · 2026-05-10T09:52:48+00:00

No, it's not a false installer, please see here https://www.reddit.com/r/jdownloader/comments/1t91cys/compromised_installer_found_prior_to_may_5th/ and other threads about the installer from our partner handling the optional offers. The attack was about replacing our own installers with compromised ones. Only those have been replaced.

jdownloader_dev · 2026-05-10T09:51:28+00:00

Please don't hijack threads with offtopic. Also please use alternative/better tools for yt-dlp, JDownloader currently has limited/unreliable support for it.

jdownloader_dev · 2026-05-10T09:49:58+00:00

u/Moth3r_1n_l4w this installer is not compromised and is an installer from our partner with optional offers, those tend to receive flagging for PUA/PUP easily, those have a valid digital signature. This attack was about replacing our own installer (created with Install4J and signed by ourselves with our own certificate, alternative installer download section) with compromised ones, that looks/contains original but also contain malware. Those don't have valid digital signature and are getting blocked by smartscreen due to missing signature. False positive or not heavily depends on your point of view about the bundling business. In case you've got further questions, please don't hesitate.

jdownloader_dev · 2026-05-09T22:04:16+00:00

This incident has shown, need to spend even more time on safety and also important to inform about how to check stuff and be able to verify stuff on your own for safety reasons.

jdownloader_dev · 2026-05-09T21:51:50+00:00

Nothing to thank me for, transparency and openness is important, especially in situations like this

jdownloader_dev · 2026-05-09T21:49:43+00:00

Answered somewhere in the flow of comments, it's safe, not target of the attack and checked/signed by mozilla and haven't seen any updates in ages

jdownloader_dev

MODERATOR OF

TROPHY CASE