About this page This notice on jdownloader.org is the public incident information for users. If we add or change details later, reload this page to see the latest version.
Who may be at risk: Only people who downloaded and installed from jdownloader.org during 6th–7th May 2026 (UTC) using one or more website download links for "Download Alternative Installer" and/or the affected Linux shell installer link — see the timeline below.
Who is not affected: Everything that is not among the at-risk cases above. The incident was limited to specific links on this site, so other paths are unaffected for that structural reason. We only name channels below that we have explicitly reviewed; the list is not exhaustive, and we do not list distribution options we have not checked ourselves.
- Other installer download options on jdownloader.org (everything except "Download Alternative Installer" and the affected Linux shell installer link), per our incident analysis of the site.
- Updates installed through JDownloader's built-in updater (RSA-signed; see In-app updates), which is independent of the manipulated website links.
- Channels we have explicitly verified as not connected to the manipulated jdownloader.org links: winget, Flatpak (e.g. Flathub), Snap, and Docker images from registries.
What happened
In early May 2026, attackers succeeded in altering the official JDownloader website so that certain installer links published here were repointed from the genuine JDownloader installer downloads to unrelated malicious third-party files: on Windows, only the installer download links for "Download Alternative Installer" — not the other installers offered on jdownloader.org — and the Linux shell installer link from the site. Our genuine installer packages were not modified — only the targets of the download links published here pointed to the wrong files. Installer binaries continue to be hosted externally as usual. Once confirmed, those malicious link targets were removed, links were corrected back to the legitimate external hosts, and the security issue was fixed. The website stayed fully offline while analysis, remediation, and further verification were completed. In the night of 8th–9th May 2026 (UTC), after those checks, it was brought back online and normal public service resumed with verified clean installer links.
Technical scope: Changes were made through the website's content management system, affecting published pages and links. The attacker did not gain access to the underlying server stack — in particular no access to the host filesystem or broader operating-system-level control beyond CMS-managed web content. Access to personal data did not occur in connection with this incident.
jdownloader.org is secure again.
Timeline (UTC)
Approximate order of events:
- 5th May 2026, late evening (~23:55 UTC) — Attackers tested their approach on a low-traffic page before changing live installer links.
- 6th May 2026, shortly after midnight (~00:01 UTC) — On jdownloader.org, a few download links were changed: if you used "Download Alternative Installer" or the Linux shell installer link, you could get malicious files from elsewhere instead of the real JDownloader installers. Other installers on the same page were not affected.
- 6th through 7th May 2026 — Primary risk window for downloads via those manipulated links.
- 7th May 2026 — At we were alerted to the problem via reddit.com. Suspicious downloads and warnings became visible; the issue was confirmed and incident handling began. At , the server was shut down.
- 7th → 8th May 2026 — Malicious link targets removed; legitimate installer links restored; remediation completed; configuration hardened. The website remained fully offline until that work plus follow-on analysis and remediation were finished.
- Night of 8th–9th May 2026 (UTC) — After further checks, the website was brought back online; normal operation resumed with verified clean installer links.
What was involved
- Windows: Only the "Download Alternative Installer" installer download links on the site were manipulated: they pointed users to unrelated malicious downloads, not to defective or modified copies of our own installers. If you used such a link during the risk window, the file you got could fail usual trust checks (unexpected publisher, missing or invalid signature vs. genuine installers from us).
- Linux: A shell-based installer obtained via a swapped link could contain harmful commands.
Known malicious file indicators
Official JDownloader installer packages were not modified; the following SHA256 digests and exact sizes in bytes describe unrelated malicious files that were observed as the substituted download targets during the incident. Your saved copy may use a different file name; compare hash and size together. A match is a strong indicator of the bad file — do not run it; delete it and obtain a fresh installer from the official download section on jdownloader.org.
Below are the known SHA256 checksums of the malicious substitute installer files observed during this incident.
| File name (as observed) | Size (bytes) | SHA256 |
|---|---|---|
| JDownloader2Setup_unix_nojre.sh | 7934496 | 6d975c05ef7a164707fa359284a31bfe0b1681fe0319819cb9e2c4eec2a1a8af |
| JDownloader2Setup_windows-amd64_v11_0_30.exe | 104910336 | fb1e3fe4d18927ff82cffb3f82a0b4ffb7280c85db5a8a8b6f6a1ac30a7e7ed9 |
| JDownloader2Setup_windows-amd64_v17_0_18.exe | 101420032 | 04cb9f0bca6e0e4ed30bc92726590724bf60938440b3825252657d1b3af45495 |
| JDownloader2Setup_windows-amd64_v1_8_0_482.exe | 61749248 | 5a6636ce490789d7f26aaa86e50bd65c7330f8e6a7c32418740c1d009fb12ef3 |
| JDownloader2Setup_windows-amd64_v21_0_10.exe | 107124736 | 32891c0080442bf0a0c5658ada2c3845435b4e09b114599a516248723aad7805 |
| JDownloader2Setup_windows-x86_v11_0_29.exe | 87157760 | de8b2bdfc61d63585329b8cfca2a012476b46387435410b995aeae5b502bd95e |
| JDownloader2Setup_windows-x86_v17_0_17.exe | 86576128 | e4a20f746b7dd19b8d9601b884e67c8166ea9676b917adea6833b695ba13de16 |
| JDownloader2Setup_windows-x86_v1_8_0_472.exe | 62498304 | 4ff7eec9e69b6008b77de1b6e5c0d18aa717f625458d80da610cb170c784e97c |
In-app updates
This incident did not affect updates delivered from inside JDownloader.
Every update installed through the application's built-in updater is RSA-signed and cryptographically verified. That channel is independent of the website download links that were manipulated.
How to tell if you might be affected
Timing and execution: You are only in the potential at-risk group if you downloaded an installer via the affected website links during the risk window in the timeline and you ran (executed) that file. Visiting the site alone, downloads outside that window, or a file you never executed are different situations (see the subsections below).
If you still have a downloaded installer, compare SHA256 and byte size to the known malicious indicators (Windows and Linux shell script).
Windows: "Download Alternative Installer" from jdownloader.org
- Confirm you mean an installer from any of the "Download Alternative Installer" download links on the site — other installers on jdownloader.org were not swapped. Note roughly when you downloaded (see timeline).
- Locate the file if you still have it; do not run it until verified.
- Right-click → Properties → Digital Signatures: genuine installers should show AppWork GmbH. Unknown publishers or missing signatures → do not execute; delete the file.
- Never bypass SmartScreen or Defender warnings to force a run.
Linux shell installer from the website
Do not re-run until you can verify integrity (for example checksums published with the genuine installer, or signature checks as above). If you cannot verify, delete the file and obtain a fresh installer from the official download section on jdownloader.org — installer links there have been restored and verified.
Only in-app or store updates
Those paths were not tied to this website installer issue. In-app updates are RSA-signed (see In-app updates above). Continue normal good habits (updates, scans, heed warnings).
No file left / unsure
Run a full scan with up-to-date security software. Treat browser download history only as a memory aid. If you suspect execution of malware, follow the next section.
What to do next
File never started
If the file was never executed, usually nothing happened. Delete it and download fresh installer packages from jdownloader.org (official download section).
Installer executed — when in doubt
Clear recommendation: If you cannot rule out that you downloaded and executed a malicious installer, perform a clean reinstall of your operating system (full wipe / fresh install or vendor recovery). Antivirus scans reduce risk but cannot guarantee removal of every persistence mechanism.
Until you consider the system clean again, avoid sensitive logins on this machine if you can; change passwords for important accounts from another device. On this PC run a full scan with up-to-date protection and review unfamiliar programs and startup entries. Restore personal files only from backups you trust.
General security tips
- Verify digital signatures before running installers from the web.
- Never ignore antivirus, Microsoft Defender, or SmartScreen warnings.
- Do not disable real-time protection or habitually click through warnings.
- Prefer official channels.
- Keep your operating system and browser updated.
- When uncertain, pause — download later from a verified channel.