xubuntu.org appears to have been compromised. The torrent download links at https://xubuntu.org/download/ all point to a file named "Xubuntu-Safe-Download.zip", which contains a malicious Windows executable according to https://www.virustotal.com/gui/file/0f59f553fcfac3cac07aa7986eac914be069a6dd407b2d9f761f11d3e865b4f6/detection. A user on Reddit ran the executable in a sandbox; it appears to be masquerading as a downloader for Xubuntu. See https://imgur.com/JpkTCzh.
This is right on the heels of a previous compromise (which attempted to make Windows users download a malicious "browser update" via a full-screen popup). I would strongly suggest taking the xubuntu.org website offline until steps can be taken to prevent another compromise in the near future.
pgp4EOtfjN7Kk.pgp
Description: OpenPGP digital signature
-- xubuntu-devel mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/xubuntu-devel
