The team behind the Pale Moon browser announced in a post on the official forum, that the archive server hosting old versions of the software was compromised by hackers and used to spread malware hidden inside the installer files. The breach occurred on December 27, 2017, but was only discovered two days ago, with the team responding by immediately taking the server down to prevent further spreading of the malware.
All versions of Pale Moon up to 27.6.2 hosted in the archive server were infected but the team stresses that the server responsible for distributing the latest version of the browser was not affected. In addition, the Basilisk browser, which is developed by the same team behind Pale Moon, was not affected either.
The team does not yet know the exact way the hackers gained access to the archive server, as a separate, likely related incident that took place on May 26 corrupted most files on it, making it extremely difficult to gather more information on the breach. The malware, designated by security company ESET as Win32/ClipBanker.DY, installs a trojan that enables the party responsible for the attack to further compromise infected systems.
According to the announcement, users who have never downloaded from archive.palemoon.org are almost certainly safe. However, the team recommends that users always use the accompanying pgp signature to verify the downloaded installer to make sure that the file has not been tampered with in any way. They also state that the malware is known to all major antivirus vendors and urge all Pale Moon users to perform a virus scan to ensure that their systems are clean.