[Package Issue]: AppWork.JDownloader 2.1 – Manifest points to unofficial third-party GitHub mirror (byGOG/jdownloader2-mirror)

[DJeee]

Package Information

• Package Identifier: AppWork.JDownloader
• Package Version: 2.1
• Affected Manifest: Version 2.1, currently available in the winget source

Issue Summary

The manifest for AppWork.JDownloader version 2.1 points to an unofficial, unauthorized third-party GitHub repository instead of the official JDownloader download source. The installer URL in the manifest directs to:

https://github.com/byGOG/jdownloader2-mirror/releases/download/v2025.06.17/JDownloader2Setup_windows_x64_java21.exe

This repository (byGOG/jdownloader2-mirror) was created just days ago (release dated March 29, 2026) by a user unaffiliated with AppWork GmbH. JDownloader does not have an official GitHub presence – the source code is hosted on SVN (svn://svn.jdownloader.org/jdownloader), and all GitHub repositories related to JDownloader are unofficial community mirrors.

The existing 2.0 manifest correctly points to https://installer.jdownloader.org/, the official download source. The 2.1 manifest replaces this with a personal GitHub repository.

Version Number Concern

The official JDownloader website (jdownloader.org/jdownloader2) does not use version 2.1. The product is referred to simply as "JDownloader 2." While some third-party download aggregators (e.g., MajorGeeks, TechSpot) label the product as "2.1," this version number does not originate from AppWork GmbH. The existing winget manifest uses version 2.0, consistent with how the official publisher identifies the product. The 2.1 version number in this manifest appears to have been chosen so that winget upgrade treats it as a newer version than the existing 2.0 package.

How I Discovered This

I ran winget upgrade --all and noticed that JDownloader was updated from an unfamiliar source. The update triggered JDownloader to open automatically after installation. I found the situation suspicious because:

• The installer was downloaded from a GitHub repository I had never seen before
• The repository was only a few days old
• The official JDownloader site does not publish version 2.1

I have since uninstalled JDownloader.

Evidence from winget Logs

The winget log at WinGet-2026-03-31-15-13-31.429.log confirms the download source and silent execution:

[CLI ] Manifest fields: Name [JDownloader 2], Version [2.1]
[CLI ] Generated temp download path:

C:\Users...\AppData\Local\Temp\WinGet\AppWork.JDownloader.2.1\504b6af59ea6c42582afdcf48f3cb8165cd92daacecac9fb01fff67054617e45
[CORE] DeliveryOptimization downloading from url:

https://github.com/byGOG/jdownloader2-mirror/releases/download/v2025.06.17/JDownloader2Setup_windows_x64_java21.exe
[CORE] Download completed.

[CLI ] Installer hash verified
[CLI ] Starting: '...\JDownloader2Setup_windows_x64_java21.exe' with arguments '-q'
[CLI ] The entry determined to be associated with the package is 'JDownloader 2', with publisher 'AppWork GmbH'

Cached Manifest Content (Version 2.1)

The cached manifest file from winget's local cache confirms the full content:

Author: AppWork GmbH
ElevationRequirement: elevationRequired
InstallerSwitches:
  Silent: -q
  SilentWithProgress: -q
InstallerType: exe
Installers:
- Architecture: x64
  InstallerSha256: 504B6AF59EA6C42582AFDCF48F3CB8165CD92DAACECAC9FB01FFF67054617E45
  InstallerUrl: https://github.com/byGOG/jdownloader2-mirror/releases/download/v2025.06.17/JDownloader2Setup_windows_x64_java21.exe
ManifestVersion: 1.10.0
PackageIdentifier: AppWork.JDownloader
PackageVersion: 2.1
Publisher: AppWork GmbH

Notable details:

• Only x64 architecture is listed (the official 2.0 manifest includes both x86 and x64)
• The manifest includes a Turkish (tr-TR) localization, matching the GitHub account owner's stated location (Bursa, Turkey)
• The InstallerUrl points to a personal GitHub repository instead of installer.jdownloader.org

Hash Verification

The SHA256 hash in the manifest (504B6AF5...) does not match the current hash listed on the official JDownloader download page (4418BD3C... for the Windows x64 Java 21 installer). However, this discrepancy alone does not prove tampering: the official page states it was last updated on March 31, 2026, while the byGOG repository hosts files from a build dated June 17, 2025. These are different builds, so different hashes are expected.

The core problem is that there is no way to verify whether the file hosted on the byGOG repository was ever an authentic, unmodified official JDownloader installer, because the old official installer is no longer available for comparison.

Comparison: Official vs. This Manifest

	Official (jdownloader.org)	Manifest 2.0	Manifest 2.1
Installer Source	installer.jdownloader.org	installer.jdownloader.org	github.com/byGOG/...
Architectures	x86, x64, ARM64	x86, x64	x64 only
Version	"JDownloader 2"	2.0	2.1 (not used by publisher)
Installer domain	jdownloader.org	jdownloader.org	github.com (personal account)

Security Concern

This is not the same as JDownloader being available on third-party download sites like Softpedia or MajorGeeks. When a user downloads software from such a site, they make a conscious decision – they see the source, evaluate it, and choose to proceed. What happened here is fundamentally different: someone submitted a manifest under the existing package identifier AppWork.JDownloader, artificially incremented the version number, and as a result, winget upgrade --all silently downloaded and executed an installer from an unverified source with elevated privileges – without the user ever seeing a URL or being asked to confirm the source.

This means the mechanism works as an attack vector. Even if this particular submitter may have had good intentions and merely mirrored the official file, the same approach could be used by a malicious actor to distribute a modified installer that would be silently executed with admin rights on every affected system. The fact that this manifest passed the winget-pkgs review process demonstrates that the current safeguards did not catch it.

Any user with JDownloader installed who ran winget upgrade --all between March 29 and now would have been affected.

Requested Action

1. Remove the version 2.1 manifest for AppWork.JDownloader from the winget package source
2. Investigate how this manifest passed review – the installer URL points to a personal GitHub account rather than the official publisher's domain (installer.jdownloader.org or jdownloader.org)
3. Consider additional safeguards for manifest submissions that change the installer URL domain from one version to another, especially when the new source is a recently created repository

Disclosure

I am not a security researcher or software developer. I noticed this issue because the update source looked unfamiliar, and I investigated the winget logs, cached manifest, and official download page with the help of Claude (Anthropic, Claude Opus 4.6). All technical findings – log analysis, manifest inspection, hash comparison, and this report – were produced through that AI-assisted investigation based on data from my system.

---

Environment

• Windows: Windows.Desktop v10.0.26200.8037
• winget: v1.28.220
• Date of incident: March 31, 2026, ~15:13 local time

### Package Information

• Package Identifier: AppWork.JDownloader
• Package Version: 2.1
• Affected Manifest: Version 2.1, currently available in the winget source

Issue Summary

The manifest for AppWork.JDownloader version 2.1 points to an unofficial, unauthorized third-party GitHub repository instead of the official JDownloader download source. The installer URL in the manifest directs to:

https://github.com/byGOG/jdownloader2-mirror/releases/download/v2025.06.17/JDownloader2Setup_windows_x64_java21.exe

This repository ([byGOG/jdownloader2-mirror](https://github.com/byGOG/jdownloader2-mirror)) was created just days ago (release dated March 29, 2026) by a user unaffiliated with AppWork GmbH. JDownloader does not have an official GitHub presence – the source code is hosted on SVN (svn://svn.jdownloader.org/jdownloader), and all GitHub repositories related to JDownloader are unofficial community mirrors.

The existing 2.0 manifest correctly points to https://installer.jdownloader.org/, the official download source. The 2.1 manifest replaces this with a personal GitHub repository.

Version Number Concern

The official JDownloader website ([jdownloader.org/jdownloader2](https://jdownloader.org/jdownloader2)) does not use version 2.1. The product is referred to simply as "JDownloader 2." While some third-party download aggregators (e.g., MajorGeeks, TechSpot) label the product as "2.1," this version number does not originate from AppWork GmbH. The existing winget manifest uses version 2.0, consistent with how the official publisher identifies the product. The 2.1 version number in this manifest appears to have been chosen so that winget upgrade treats it as a newer version than the existing 2.0 package.

How I Discovered This

I ran winget upgrade --all and noticed that JDownloader was updated from an unfamiliar source. The update triggered JDownloader to open automatically after installation. I found the situation suspicious because:

• The installer was downloaded from a GitHub repository I had never seen before
• The repository was only a few days old
• The official JDownloader site does not publish version 2.1

I have since uninstalled JDownloader.

Evidence from winget Logs

The winget log at WinGet-2026-03-31-15-13-31.429.log confirms the download source and silent execution:

[CLI ] Manifest fields: Name [JDownloader 2], Version [2.1]

[CLI ] Generated temp download path:
C:\Users\...\AppData\Local\Temp\WinGet\AppWork.JDownloader.2.1\504b6af59ea6c42582afdcf48f3cb8165cd92daacecac9fb01fff67054617e45

[CORE] DeliveryOptimization downloading from url:
https://github.com/byGOG/jdownloader2-mirror/releases/download/v2025.06.17/JDownloader2Setup_windows_x64_java21.exe

[CORE] Download completed.
[CLI ] Installer hash verified

[CLI ] Starting: '...\JDownloader2Setup_windows_x64_java21.exe' with arguments '-q'

[CLI ] The entry determined to be associated with the package is 'JDownloader 2', with publisher 'AppWork GmbH'

Cached Manifest Content (Version 2.1)

The cached manifest file from winget's local cache confirms the full content:

Author: AppWork GmbH
ElevationRequirement: elevationRequired
InstallerSwitches:
  Silent: -q
  SilentWithProgress: -q
InstallerType: exe
Installers:
- Architecture: x64
  InstallerSha256: 504B6AF59EA6C42582AFDCF48F3CB8165CD92DAACECAC9FB01FFF67054617E45
  InstallerUrl: https://github.com/byGOG/jdownloader2-mirror/releases/download/v2025.06.17/JDownloader2Setup_windows_x64_java21.exe
ManifestVersion: 1.10.0
PackageIdentifier: AppWork.JDownloader
PackageVersion: 2.1
Publisher: AppWork GmbH

Notable details:

• Only x64 architecture is listed (the official 2.0 manifest includes both x86 and x64)
• The manifest includes a Turkish (tr-TR) localization, matching the GitHub account owner's stated location (Bursa, Turkey)
• The InstallerUrl points to a personal GitHub repository instead of installer.jdownloader.org

Hash Verification

The SHA256 hash in the manifest (504B6AF5...) does not match the current hash listed on the official JDownloader download page (4418BD3C... for the Windows x64 Java 21 installer). However, this discrepancy alone does not prove tampering: the official page states it was last updated on March 31, 2026, while the byGOG repository hosts files from a build dated June 17, 2025. These are different builds, so different hashes are expected.

The core problem is that there is no way to verify whether the file hosted on the byGOG repository was ever an authentic, unmodified official JDownloader installer, because the old official installer is no longer available for comparison.

Comparison: Official vs. This Manifest

	Official (jdownloader.org)	Manifest 2.0	Manifest 2.1
Installer Source	installer.jdownloader.org	installer.jdownloader.org	github.com/byGOG/...
Architectures	x86, x64, ARM64	x86, x64	x64 only
Version	"JDownloader 2"	2.0	2.1 (not used by publisher)
Installer domain	jdownloader.org	jdownloader.org	github.com (personal account)

Security Concern

This is not the same as JDownloader being available on third-party download sites like Softpedia or MajorGeeks. When a user downloads software from such a site, they make a conscious decision – they see the source, evaluate it, and choose to proceed. What happened here is fundamentally different: someone submitted a manifest under the existing package identifier AppWork.JDownloader, artificially incremented the version number, and as a result, winget upgrade --all silently downloaded and executed an installer from an unverified source with elevated privileges – without the user ever seeing a URL or being asked to confirm the source.

This means the mechanism works as an attack vector. Even if this particular submitter may have had good intentions and merely mirrored the official file, the same approach could be used by a malicious actor to distribute a modified installer that would be silently executed with admin rights on every affected system. The fact that this manifest passed the winget-pkgs review process demonstrates that the current safeguards did not catch it.

Any user with JDownloader installed who ran winget upgrade --all between March 29 and now would have been affected.

Requested Action

1. Remove the version 2.1 manifest for AppWork.JDownloader from the winget package source
2. Investigate how this manifest passed review – the installer URL points to a personal GitHub account rather than the official publisher's domain (installer.jdownloader.org or jdownloader.org)
3. Consider additional safeguards for manifest submissions that change the installer URL domain from one version to another, especially when the new source is a recently created repository

Disclosure

I am not a security researcher or software developer. I noticed this issue because the update source looked unfamiliar, and I investigated the winget logs, cached manifest, and official download page with the help of Claude (Anthropic, Claude Opus 4.6). All technical findings – log analysis, manifest inspection, hash comparison, and this report – were produced through that AI-assisted investigation based on data from my system.

---

Environment

• Windows: Windows.Desktop v10.0.26200.8037
• winget: v1.28.220
• Date of incident: March 31, 2026, ~15:13 local time

[DJeee]

VirusTotal Result

The SHA256 hash from the manifest (504B6AF59EA6C42582AFDCF48F3CB8165CD92DAACECAC9FB01FFF67054617E45) has been checked on VirusTotal. The file was already uploaded by someone else approximately 5 hours before this report and returned 0/70 detections. The file is signed.

This suggests that the installer served through the byGOG repository is likely an unmodified copy of an official JDownloader build, which is further supported by the file being signed (presumably with AppWork GmbH's code signing certificate).

While the file itself appears legitimate in this case, the concern remains that the review process allowed a manifest with a non-official installer source to pass. A malicious actor using the same approach – submitting a manifest pointing to their own repository – could exploit this as well.

[DJeee]

Official JDownloader confirms no version 2.1

After uninstalling the version from the byGOG manifest, I reinstalled JDownloader from the official source (jdownloader.org/jdownloader2). The About dialog of the current official build (Build Date: March 31, 2026) identifies the application as "JDownloader® 2" with Core Revision #50639. There is no mention of version 2.1 anywhere in the application.

This confirms that the version number 2.1 used in the winget manifest does not originate from the official publisher (AppWork GmbH) and was introduced solely by the third-party manifest submitter.

[jiaz83]

We already have published a pull request and are waiting for help/review, see #354183
I guess the arm64 build is causing issues with validation, so I decided to close it and open yet another pull request, see
#354372

The core problem is that there is no way to verify whether the file hosted on the byGOG repository was ever an authentic, unmodified official JDownloader installer, because the old official installer is no longer available for comparison.

All official installers(exe) are always code signed, so one can check if the certificate matches the one from linked builds here, https://jdownloader.org/jdownloader2. I will also start publishing list of official build hashes/sizes/details.

For the moment I had to keep 2.1 version number to avoid longer delays. We will look into ways how to achieve this.

[denelon]

The arm64 validation issues should be resolved now. I also commented on the PR.

[jiaz83]

@denelon Thanks for the confirmation and followup! arm64 now has passed validation just fine! Thanks for your work/help.

What would be the best way to downgrade version number from 2.1 back to 2.0? We're seeing lots of inquiries about the confusion of newer version number and would like to go back to 2.0 ? Can I just submit another 2.0 folder with 2.0 version number and then delete 2.1 folder/manifests? or is there a better/easier way?

[ahmedyarub]

I keep on getting requests to update to JDownloader 2.1, but the installed version does not change after installation!

[jiaz83]

@ahmedyarub see my previous comment. winget package version is not related/connected to JDownloader version at all. The current 2.1 is JDownloader but the 2.1 is causing confusion.

[ahmedyarub]

I know but what is the solution here?

[jiaz83]

@ahmedyarub you can simply ignore the version number from winget and hopefully we will be able to sort out the mess

[darkred]

The repo of the installer URL in the affected manifest is down (404):
https://github.com/byGOG/jdownloader2-mirror