JDownloader's website was compromised by attackers who spent over a day serving malware-laced downloads to Windows and Linux users. The breach began on May 6 when hackers exploited an unpatched security vulnerability allowing them to modify the site's Access Control Lists without authentication. Users quickly flagged the issue after Windows SmartScreen started rejecting the downloads and showing a suspicious publisher, "Zipline LLC," instead of the expected "AppWork" signature.

The attackers specifically targeted the alternative download page, replacing all Windows installer links with malicious unsigned executables and swapping the Linux shell installer with a version containing malicious shell code. However, the main JDownloader.jar file, macOS installers, and packages from repositories like Winget, Flatpak, and Snap remained untouched since they rely on separate infrastructure secured with checksums, and in-app updates are protected by end-to-end digital signatures.

This incident marks another supply chain attack leveraging trusted utilities to deliver malware, following last month's breach of CPUID's website. Users who installed the compromised files reported that the malware disabled Windows Defender entirely, highlighting the severity of the threat.