Overwolf (Who owns Curseforge) is an israeli company which is supporting the genocide in palestine and funding the IDF
A lot of modders have been steadily moving to Modrinth to publish their mods, but a lot of mods and modpacks are stil available only through CurseForge or FTB apps (FTB is partnered with Overwolf).
if you are using the CurseForge launcher, I'm here to tell you that you can very easily migrate to PrismLauncher.
Thankfully, the CurseForge launcher offers a convenient way to extract your instances (profiles as it calls it) which you can then import into Prism.
Go into your profile and press the 3 dots. There, click "Export profile"
Select all the files and folders
This will create a zip file of your instance and open the folder in which it saved it. Just drag and drop the zip into Prism.
With certain modpacks, Prism will show you a message saying some mods aren't available for download through 3rd party launchers. It will give you a link to the mod as well as the folder which it is watching. Just manually download that mod into that folder and Prism will take it and put it where it needs to.
Ta-da! Your instance is now on a different launcher, with all your worlds and settings.
...Okay, first of all, this whole statement is sadly nothing but them taking the same exact route as before: misdirecting & changing the narrative to only be about "victims" when their Home Support initiative is partnered with the ILF, an openly Zionist organization. This isn't about innocent parties only when they're partnered with an organization that contributes directly towards IDF Military Intelligence. All of the money from the fund goes to the ILF's bank account to distribute, per their own FAQ page. And even without that, the association alone is enough to boycott. Overwolf and Curseforge cannot be "clean of politics" while their CEO partners with and therefore directly supports Zionist parties.
Screenshots directly from Home Support website & ILF website
This statement overall stinks because it puts the blame fully onto people with legitimate concerns by calling them all harassers. Have some people gone too far towards creators? 100%. I know that well. But Overwolf is clearly using that to deflect off of themselves, and this is why it never should have been done in the first place. Y'all focused on the wrong shit- the smaller targets instead of the big ones, and the wrong claim that they're directly funding the IDF with CF revenue, and now they're doing exactly what I said they would: once again using the fact that that's not technically true to weasel out of people's concerns. They even directly call out the fact that it's misinformation like I said they would! They clarified fucking nothing, they repeated the same shit they already said because they know they can. We need to change the focus of the boycott so that they are forced to address their actual wrongdoing! Stop spending all your time sending threatening messages on anon and instead spread factual information with sources and reach out to creators in good faith effort to get them to speak without the fear of being attacked. They will stay silent as long as the negative consequences (financially & socially) is all on them and not Overwolf & EA.
I'm still working on a comprehensive post with everything, but in the meantime, please spread this post around.
Due to concerning recent developments with Overwolf (who owns CurseForge) we have decided we will not be putting any of our projects on their platform. You will be able to find us on Modrinth when our projects are released. This includes Squashed and the Dye Mod.
The reasoning being Overwolf's involvement with funding the IDF, encouraging others to do the same, as well as numerous other issues and decisions the platform has made as of late that makes experiences worse for both creators and users.
As a user, I would encourage you to use alternatives like Modrinth and Prism Launcher. To any other modders out there, I would recommend abandoning Curse as a platform and moving to Modrinth as well.
Okay so, I did a little digging on Overwolf. For the uninitiated, right before announcing The Sims 5 they made a blink-and-you'd-miss-it announcement about making an "offiical" mods marketplace. Now will TS4 be stuck to this service? Unlikely, but they could be trying to make it so that TS5 can ONLY use this service.
That seems to be the case since they're testing mobile capabilities for TS5 and that would require more oversight on user created mods. But it would ALSO allow them to control mod distribution.
(trying to destroy the players community, naturally)
And why? Well let's look at Overwolf's TOU shall we?
Terms of Use | Overwolf
Your mods cannot use a copyright. No more creations of real life garments.
Anything can be removed at any time, without notice.
Don't sign in enough? Account deleted. Violate the letter or (dubiously vague) "spirit" of the terms? No more mods for you.
And better yet? It looks like this is a for profit company. I hope you're all ready to pay real money for something that's been free on non-centralized community run websites for twenty years. Those porn mods? Gone. Drugs? Nope. Anything that even SEEMS like it might be a copyright? Bye! What's left? You get to pay for.
Edit 2023-06-09: The researchers have updated their guidance to all-clear on unmodded versions of Minecraft Java, and work continues with both CurseForge and Modrinth to improve safeguards against new variants or copycat attacks. They are still advising staying away from mods a bit longer while this work continues.
As an additional note, I want to clarify something I don't think was clear in my original post: this was not a failure on CurseForge. What went down here has happened to other platforms. It's just the first time such a malicious package attack has been observed in the Minecraft modding scene. It may not be the last.
Original Post Follows:
As you may have seen yesterday, the modded Minecraft community is experiencing a malware incident.
The quick "do I need to worry" is if and only if all the following are true:
you are using Minecraft Java Edition
. . . and are using any mods or modpacks
. . . and those mods were downloaded/updated in the last 2-3 weeks or possibly as far back as March (timeline still unclear as of my post)
If any of the above were not true for you, then you should be clear. Investigators are advising maximum caution even of vanilla Minecraft, more on that at the end of this post.
If all of the above were true, don't panic. You just need to take a few extra steps to be sure.
A document for non-technical users explaining the situation in more detail and steps to take has been developed on github.
If you used any of the scripts from yesterday to verify your stuff, you may still want to try the new tools which will peak inside the mod files for that extra sure feeling.
The document provides links for checking yourself out, and what to do if the worst case happens.
Information about the fractureiser malware. Contribute to fractureiser-investigation/fractureiser development by creating an account on GitH
CurseForge has an update on their twitter:
Modrinth is also in the process of verifying their site as well:
We are currently investigating further and intend to be able to say definitively whether Modrinth files are free of this type of malware. In
Okay, so, why is the document recommending not even running even vanilla Minecraft Java
There are a lot of brilliant people working on this incident, and they're all smart enough to not give an all-clear until all the facts are known.
Everyone wants fast results. Accuracy takes time.
The way this malware worked was to infect all Java jar files it finds on the system.
Including Minecraft itself.
Including things that have nothing to do with Minecraft.
This spreading to infect other jar files appears to be how it spread to infect legitimate mod files:
The malicious mods have upload dates multiple weeks in the past. Most of them were uploaded by single-use accounts with clearly autogenerated names, and were likely the seed of the infection. Luna Pixel Studios was compromised due to a dev testing one of these mods, as it was an interesting new upload.
At the end of the day, it's all about risk. They can't give a clean bill of health just yet, so they won't. If it turns out that something bigger and nastier was happening, they'd be on the line for that.
This is also why every list of mods published by the investigators comes with the "not comprehensive" disclaimer -- it's what we know. What we don't know can still hurt us.
So, running vanilla launcher for vanilla Minecraft Java is considered a risk. It may be low-risk.
Is it a risk I'm willing to take? Maybe next week, when I know more. (I often wait a week after an update, which coincidentally happened yesterday, so this just happens to align with how I do things normally)
If it's a risk you take, just be safe, stay vigilant, and keep an eye on the main repository of information for more news because I am not a reliable reporter.
Information about the fractureiser malware. Contribute to fractureiser-investigation/fractureiser development by creating an account on GitH
