#fractureiser

Edit 2023-06-09: The researchers have updated their guidance to all-clear on unmodded versions of Minecraft Java, and work continues with both CurseForge and Modrinth to improve safeguards against new variants or copycat attacks. They are still advising staying away from mods a bit longer while this work continues.

As an additional note, I want to clarify something I don't think was clear in my original post: this was not a failure on CurseForge. What went down here has happened to other platforms. It's just the first time such a malicious package attack has been observed in the Minecraft modding scene. It may not be the last.

Original Post Follows:

As you may have seen yesterday, the modded Minecraft community is experiencing a malware incident.

The quick "do I need to worry" is if and only if all the following are true:

you are using Minecraft Java Edition

. . . and are using any mods or modpacks

. . . and those mods were downloaded/updated in the last 2-3 weeks or possibly as far back as March (timeline still unclear as of my post)

If any of the above were not true for you, then you should be clear. Investigators are advising maximum caution even of vanilla Minecraft, more on that at the end of this post.

If all of the above were true, don't panic. You just need to take a few extra steps to be sure.

A document for non-technical users explaining the situation in more detail and steps to take has been developed on github.

If you used any of the scripts from yesterday to verify your stuff, you may still want to try the new tools which will peak inside the mod files for that extra sure feeling.

The document provides links for checking yourself out, and what to do if the worst case happens.

CurseForge has an update on their twitter:

Modrinth is also in the process of verifying their site as well:

Okay, so, why is the document recommending not even running even vanilla Minecraft Java

There are a lot of brilliant people working on this incident, and they're all smart enough to not give an all-clear until all the facts are known.

Everyone wants fast results. Accuracy takes time.

The way this malware worked was to infect all Java jar files it finds on the system.

Including Minecraft itself.

Including things that have nothing to do with Minecraft.

This spreading to infect other jar files appears to be how it spread to infect legitimate mod files:

The malicious mods have upload dates multiple weeks in the past. Most of them were uploaded by single-use accounts with clearly autogenerated names, and were likely the seed of the infection. Luna Pixel Studios was compromised due to a dev testing one of these mods, as it was an interesting new upload.

At the end of the day, it's all about risk. They can't give a clean bill of health just yet, so they won't. If it turns out that something bigger and nastier was happening, they'd be on the line for that.

This is also why every list of mods published by the investigators comes with the "not comprehensive" disclaimer -- it's what we know. What we don't know can still hurt us.

So, running vanilla launcher for vanilla Minecraft Java is considered a risk. It may be low-risk.

Is it a risk I'm willing to take? Maybe next week, when I know more. (I often wait a week after an update, which coincidentally happened yesterday, so this just happens to align with how I do things normally)

If it's a risk you take, just be safe, stay vigilant, and keep an eye on the main repository of information for more news because I am not a reliable reporter.

For ALL LATEST INFORMATION PLEASE LOOK AT THIS GITHUB PAGE!

tl;dr:

Check that github page on how to see if your PC is infected with malware that has recently been uploaded to Curseforge, and what to do. As of this post it is unclear how far this malware has spread throughout the mods.

Longer version:

on 07/06/2023 it was found that several mods and plugins uploaded to curseforge contained incredibly dangerous malware. This was immediately reported publically by Lunapixelstudio (Responsible for mods such as 'When dungeons arise' and more)

As of right now, they are further investigating the amount of mods affected and are handling the situation. It is recommended to NOT UPDATE YOUR MINECRAFT MODS THROUGH CURSEFORGE FOR THE NEXT COUPLE OF DAYS.

What this virus does is the following:

It hides its code into its target .jar files so that it runs malicious code upon being loaded (stage 0)

It then tries to contact its domain page to download the files necessary for stage 2. (stage 1)

It then opens a port and launches a loop to connect to a server, creating/overwriting a client.jar file. (stage 2)

Stage 3 is the one where the all the malicious things happens. Stage 3 does the following:

Attempts to read clipboard contents

steal microsoft account credentials

scan all .jar files on systems that look like minecraft mods and attempts to infect them with stage 0.

steal cookies & login information

steal cryptocurrency wallets

steal discord credentials

steal microsoft & minecraft credentials

It also will attempt to escape virtual-machine environments when it notices that it is being ran inside one.

fractureiser? fucking fractureiser? thats suck a fucking cool name

and dont even mention the logo

why the fuck did we give it such a cool design

like this is something i would see at the top of the modpacks list