Ouch, the Xubuntu website was recently hijacked and ended up serving Windows malware, and this isn't the first time the Xubuntu site was hit.
Back in September (Reddit), it seemed the Xubuntu blog was briefly attacked to serve slot machine adverts, going by the comments in the Reddit post. This time though, it was a bit more nefarious with the downloads section (specifically the torrent) serving up some sort of crypto malware (Reddit).
Confirming the issue on Mastodon in reply to a question about it, Xubuntu contributor Sean Davis noted:
It is. We’re working with Canonical IS to resolve. Since the servers aren’t owned by our team, there’s little we can do. We’ve since taken down the download page and will be expediting our static site development to replace our aging WordPress instance.
With Wordpress being as popular as it is used across so many sites, anyone running it really does need to ensure it's constantly updated with regular security fixes.
The timing of it is interesting, with Windows 10 recently ending support, so likely the attackers were hoping to hit a few people attempting to move from Windows.
Right now, the Xubuntu website is quite broken with many pages leading to errors. Hopefully they'll be able to sort it out soon.
Caution is always advised when downloading anything from the internet.
While true, this won't help most users one bit. Verifying each and every package in a supply chain is prohibitive for most users, either because they don't possess the necessary tech literacy levels, or simply don't have the time to check fingerprints for each and every package. Not that even that would mean 100% safety, because attackers could also place fingerprints matching their compromised packages while they're in control of the site anyway.
In the end the operators of major, otherwise trustworthy sites really need to treat their resources as what they are: Critical infrastructure.