JDownloader is a free download manager used by millions of people to grab files from the web. Between May 6 and May 7, 2026, attackers broke into the official JDownloader website by exploiting an unpatched flaw in its content management system. They quietly swapped the download links — the Windows “Alternative Installer” and the Linux shell installer — with fake versions bundled with malware.
Anyone who downloaded and ran one of those files during that two-day window got infected with a Python-based remote-access trojan (RAT). On Windows, the RAT lets attackers run any Python code they send from their control server. On Linux, it installed itself with root-level privileges, making it especially dangerous. In both cases, attackers gained the ability to read your files, steal passwords, and maintain persistent access to your machine.
How to check if you’re affected
Affected versions are the Windows and Linux installers downloaded from the official JDownloader website specifically between May 6 and May 7, 2026. Downloads made through in-app updates, Winget, Flatpak, Snap, macOS downloads, or the main JAR package were not affected.
To verify your Windows installer:
- Right-click the installer file → Properties → Digital Signatures tab.
- Legitimate JDownloader installers are signed by “AppWork GmbH”. Any other signer — or no signature at all — means the file is malicious.
If you installed an unsigned version, security researchers recommend a full operating system reinstall and changing all passwords on the affected device from a clean machine.