The Xubuntu.org download site was compromised for a brief period in October 2025, serving a malicious zip file instead of legitimate torrents. The compromise was first reported on October 15, leading to an immediate lockdown of the site and an investigation by Canonical’s infrastructure and security teams. By October 19, the malicious files were removed, and the site was deemed clean.

The incident was caused by a malicious actor who gained unauthorized access to the WordPress installation maintaining the Xubuntu website. This was achieved by brute-forcing a vulnerable component of the WordPress instance. Once access was obtained, the attacker injected code to alter the download links on the site.

Users who downloaded a file named “Xubuntu-Safe-Download.zip” from the Xubuntu downloads page between October 15 and October 19, 2025, were advised to assume it was malicious and scan their systems. It was clarified that only the Xubuntu website and its torrent links were affected; official Ubuntu repositories, mirrors, and Xubuntu’s build systems or packages remained secure.

Canonical’s team worked to identify the exploit, remove all malicious code, roll back affected pages to a clean state, and harden the WordPress instance. On November 11, Canonical confirmed the exploit path was addressed and the system hardened, restoring download access in a controlled, read-only mode.

As a long-term remediation, the Xubuntu team decided to migrate their website to Hugo, a static site generator, to eliminate the type of attack vector exploited. The community played a crucial role in reporting the compromise and assisting users. The team also highlighted that Xubuntu itself cannot accept donations, but developers can be supported via the Xfce project.