In mid-October, the Xubuntu download site was compromised and had directed users to a malicious zip file instead of the Torrent file that users expected. Elizabeth K. Joseph has published a postmortem of the incident, along with plans to avoid such a breach in the future:

To be perfectly clear: this only impacted our website, and the torrent links provided there.

If you downloaded or opened a file named “Xubuntu-Safe-Download.zip” from the Xubuntu downloads page during this period, you should assume it was malicious. We strongly recommend scanning your computer with a trusted antivirus or anti-malware solution and deleting the file immediately.

Nothing on cdimages.ubuntu.com or any of the other official Ubuntu repositories was impacted, and our mirrors remained safe as long as they were also mirroring from official resources.

None of the build systems, packages, or other components of Xubuntu itself were impacted.