Xubuntu Download Page Hijacked with Crypto‑Stealing Malware

A user identified as vx‑underground reported on Reddit and X that the URL xubuntu.org/download/ served a ZIP file instead of the expected Xubuntu Linux image. The archive contained two items: a text file named tos.txt that incorrectly displayed "Copyright (c) 2026 Xubuntu.org", and a Windows executable.

Analysis of the executable revealed it to be a crypto‑clipper malware. When executed, the program installs itself in the Windows AppData directory and begins harvesting user privacy information. Commenters described the attack as "incredible" and "unprofessional," suggesting a low‑quality intrusion attempt.

Xubuntu’s official team later confirmed that the platform had been breached. As an immediate mitigation, they temporarily disabled the xubuntu.org/download page to prevent further users from downloading the infected package.

Additional reporting by Linux News indicated that the compromise may have begun in mid‑month, with other sections of the site showing unrelated text and modified copyright notices bearing the same erroneous 2026 year. This suggests broader unauthorized modifications beyond the download page. Users are advised to wait for Xubuntu’s official confirmation that the site has been fully cleaned before attempting to download any images again.