Xubuntu.org Might Be Compromised
38 comments
·October 19, 2025diogenes_atx
zvmaz
From what I understood, it's the torrent link that downloads a compromised zip file rather then the authentic image:
"Torrent downloads over at https://xubuntu.org/download/ are serving a zip file with a suspicious exe and a tos.txt inside. The TOS starts with Copyright (c) 2026 Xubuntu.org which is sus, because it is 2025. I opened the .exe with file-roller and couldn't find any .torrent inside."
trebligdivad
And where did you get the reference SHA256SUMS from ? Did you check the gpg signature on them against a good sig from somewhere?
ntoskrnl_exe
According to the SHA256SUMS from Canonical's official download page at https://cdimage.ubuntu.com/xubuntu/releases/24.04.3/release/ that is the correct checksum.
tuhgdetzhh
Good Point. The checksums posted on Xubuntu.org could also compromised.
diogenes_atx
I downloaded the checksums and the ISO image from the Xubuntu website: https://mirror.us.leaseweb.net/ubuntu-cdimage/xubuntu/releas...
This url is on the main Xubuntu website, under "Xubuntu 24.04": click "Release page," then select United States. From there, you download the following files: SHA256SUMS, SHA256SUMS.gpg, xubuntu-24.04.3-desktop-amd64.iso
The output from the other checksum commands is shown here:
[user@host]$ gpg --keyid-format long --verify SHA256SUMS.gpg SHA256SUMS
gpg: Signature made Thu 07 Aug 2025 06:05:22 AM CDT
gpg: using RSA key 843938DF228D22F7B3742BC0D94AA3F0EFE21092
gpg: Can't check signature: No public key
[user@host]$ sha256sum --check SHA256SUMS
xubuntu-24.04.3-desktop-amd64.iso: OK
sha256sum: xubuntu-24.04.3-minimal-amd64.iso: No such file or directory
xubuntu-24.04.3-minimal-amd64.iso: FAILED open or read
sha256sum: WARNING: 1 listed file could not be read
However, checksums for Linux ISOs are not inherently immutable. The checksum itself is just a cryptographic hash generated from the file's contents. While the checksum for a specific, unchanged ISO file is fixed, the checksum that is published on a website could be deliberately altered by an attacker to hide a modified, malicious ISO.
crtasm
There's a sticked comment on the source thread: https://old.reddit.com/r/xubuntu/comments/1oa43gt/xubuntuorg...
hamdingers
> Thanks everyone. We're beholden to our hosting environment for upgrades and it looks like there was a bit of a slip-up here. It's being worked on, but for now the Downloads page is disabled.
Calling this a "slip-up" is an outrageous downplay. If anything this makes me suspicious of the moderator who posted the comment too. One does not accidentally prepare a zip file with a malicious exe and xubuntu-specific language, upload it to a server, and point a torrent link at it.
LambdaComplex
Calling this "a bit of a slip-up" while neither confirming nor denying the presence of malware is weird at best and incredibly suspicious at worst.
amelius
Let's not kid ourselves. A state level actor who is playing the long game can compromise any distro, package, etc. without us knowing about it.
layer8
That kind of defeatism isn’t helpful.
The present case also just seems malware easily detected by VirusTotal: https://old.reddit.com/r/xubuntu/comments/1oa43gt/xubuntuorg...
chorlton2080
Look at all the mainstream scanners that failed to detect it!
layer8
That’s pretty normal in my experience. That’s why you check with VirusTotal instead of a single “mainstream” scanner.
timefirstgrav
Jia Tan with the XZ backdoor was caught because some performance obsessed person noticed a tiny delay... I'm sure they learned their lesson and are ensuring their next backdoor doesn't impact performance.
3eb7988a1663
That is the insidious question - how many parallel efforts were/are in play when xz was going down? Surely that was not the only long term play to compromise an "unrelated" component of system security. The Jia Tan organization might have already inserted back doors into dozens of different projects by now.
CaptainOfCoit
Sure, but realistically, how many of us right here have state level actors in our threat models? I sure don't, because it'd be impossible to live a normal life then.
iamnothere
But state level actors could target you, so you should immediately abandon any hope of privacy, disable your ad blockers, stop using Signal, install Windows 11, cease any complaints about the government, and eat the bugs.
cozzyd
fortunately, in this case, it seems like the malware may be moot if you use the iso to wipe your windows installation...
eth0up
dominick-cc
Thanks for this link. Opening reddit links on mobile is very frustrating for me because it opens the app and messes with the browser back button for me. Not sure if others have that problem too.
layer8
On iOS Safari, long-press the link and select Open (or Open in Background). That will open the link in the browser instead of in the app, and Safari will remember that preference for the app. Select Open in Reddit to revert.
Also, don’t install the app? Use Sink It instead: https://gosinkit.com/
ants_everywhere
My solution is just to uninstall the app
pluc
That's because you're not supposed to open reddit links anymore, you can just share your content directly with AI companies and ad brokers and cut out the middleman.
exe34
I had the same idea about the britcard - why doesn't the government just buy the information from the ad brokers?
null
ntoskrnl_exe
Try pressing on the original link and opening it in another tab, that usually bypasses opening the app for me.
marksbrown
For the moment "yesterday for old reddit" on firefox android works quite well.
eth0up
I'm a grovelling Linux fiend and usually support related posts. I tried to visit the url and saw it was blocked. Didn't want the post to die so archived it asap.
Note too, that NextDNS blocks archive.is et al by default unless you manually add redirects.
Whatta world
null
zvmaz
That is why I use Qubes OS [1] in order to have a certain peace of mind.
EDIT: further comment below:
On second thought, Qubes OS does not prevent such types of malicious downloads; it can also happen to Qubes images. Verify your downloads with checksums and cryptographic signatures [2].
[2] https://doc.qubes-os.org/en/latest/project-security/verifyin...
zvmaz
On second thought, Qubes OS does not prevent such types of malicious downloads; it can also happen to Qubes images. Verify your downloads with checksums and cryptographic signatures [1].
[1] https://doc.qubes-os.org/en/latest/project-security/verifyin...
kachapopopow
qubes is just as vulnerable as xubuntu in this case (poor website security) no?
nekusar
Check a history on archive.org and validate the checksum wasnt changed to be the potentially malicious iso?
Its not perfect... but its better than nothing.
zvmaz
Yes indeed. Qubes has a good article on verifying distribution images not only with checksums but also with cryptographic signatures that verify the checksum files [1].
[1] https://doc.qubes-os.org/en/latest/project-security/verifyin...
xyzzy123
But aren't you still trusting the website for instructions about how to verify the cryptographic signatures?
I just ran the checksum for the current ISO file of the full Xubuntu desktop version on the Xubuntu website, and the checksum appears to be valid.
https://mirror.us.leaseweb.net/ubuntu-cdimage/xubuntu/releas...
[user@host]$ ls
SHA256SUMS SHA256SUMS.gpg xubuntu-24.04.3-desktop-amd64.iso
[user@host]$ cat SHA256SUMS
b61e083d8a5ab003bad6ef7ea31ec21d7bfdf19b99d75987ab3fa3bbe85ec1bf *xubuntu-24.04.3-desktop-amd64.iso
[user@host]$ sha256sum xubuntu-24.04.3-desktop-amd64.iso
b61e083d8a5ab003bad6ef7ea31ec21d7bfdf19b99d75987ab3fa3bbe85ec1bf xubuntu-24.04.3-desktop-amd64.iso
[user@host]$ echo $?
0