Overview
- The compromise, identified Thursday, May 7 after a Reddit user saw Microsoft Defender flag the downloads, repointed the Windows “Download Alternative Installer” and the Linux shell installer to malicious files.
- JDownloader says attackers abused a flaw in its content management system that let them change access controls and edit published pages without logging in.
- Researchers report the Windows executables acted as a loader for a heavily obfuscated Python remote‑access trojan, with command servers observed at parkspringshotel[.]com and auraguest[.]lk.
- BleepingComputer found the altered Linux script fetched an archive from checkinnhotels[.]com, installed a SUID‑root binary named systemd‑exec, set persistence via /etc/profile.d, and launched a payload disguised as upowerd.
- The website returned Saturday, May 9 after patching and hardening, and the team urges anyone who ran the swapped installers to reinstall their OS and reset passwords, noting in‑app updates and other signed packages were not altered.