Xubuntu has released a detailed postmortem describing the October compromise of its website’s download page, where the ISO download button briefly served a malicious ZIP file instead of the expected installation image.
The incident began on October 15, when visitors clicking the main “Download” button on Xubuntu.org were redirected to a file named “Xubuntu-Safe-Download.zip.” The archive was malicious.
It’s important to stress that nothing on cdimages.ubuntu.com, official Ubuntu repositories, or the mirror network was affected, and existing Xubuntu installations were never at risk.
According to the project’s postmortem, the attack was made possible after a malicious actor brute-forced a vulnerable component in the WordPress instance Canonical maintains for the Xubuntu team.
Once inside, the attacker injected code that replaced the legitimate ISO download link with the malicious ZIP file. The compromise was reported quickly, prompting Canonical’s infrastructure and security teams to lock down the site and disable the downloads page.
Between October 15 and 19, Canonical and the Xubuntu team identified the intrusion method, removed all injected code, and restored the affected pages from verified clean snapshots.
Additionally, the WordPress installation was hardened and placed in a controlled read-only state while the team initiated a permanent migration away from the platform.
Xubuntu confirms that only the website’s download button was manipulated. The core distribution, build systems, packages, and the official Ubuntu image hosting remained untouched.
Users who downloaded the “Xubuntu-Safe-Download.zip” file during this period are urged to delete it immediately and perform a system scan using a trusted antivirus or anti-malware tool.
In response to the incident, the team is finalizing a planned transition to Hugo, a static site generator that removes the dynamic attack surface WordPress exposed.
The migration had been underway for some time, but the October breach accelerated its completion. Once deployed, the new static site will eliminate the type of exploit path used in this compromise.
For more information, see the official announcement on Ubuntu’s mailing list.
