Minecraft players are advised to steer clear of downloading or updating mods after malware was found in dozens of such offerings available online.
The mod-developer accounts hosted by CurseForge, a platform that hosts accounts and forums related to add-on software, known as mods or plugins, were discovered to have been compromised, with malicious files dating back to mid-April.
Some reports suggest that even Bukkit.org, another platform run by CurseForge, has also been affected.
Curseforge, the popular website to download minecraft mods, has supposedly been compromised.
Curseforge mod creators are reporting that their accounts have been hacked/compromised, and are uploading malicious files, warning users not to update any modpacks. pic.twitter.com/gYNjqFXHmQ
— TheMisterEpic (@TheMisterEpicYT) June 7, 2023
“A number of Curseforge and dev.bukkit.org (not the Bukkit software itself) accounts were compromised, and malicious software was injected into copies of many popular plugins and mods,” gamers wrote in a HackMD forum dedicated to discussing the event. They added:
“Some of these malicious copies have been injected into popular modpacks including Better Minecraft. There are reports of malicious plugin/mod JARs as early as mid-April.”
Which Minecraft Modes Are Compromised?
Prism Launcher, the maker of an open-source Minecraft launcher, has identified some of the compromised mods.
It said that Dungeons Arise, Sky Villages, Better MC modpack series, Dungeonz, Skyblock Core, Vault Integrations, AutoBroadcast, Museum Curator Advanced, Vault Integrations Bug fix, and Create Infernal Expansion Plus are among the impacted modes.
Furthermore, the impacted modes across Bukkit include Display Entity Editor, Haven Elytra, The Nexus Event Custom Entity Editor, Simple Harvesting, MCBounties, Easy Custom Foods, Anti Command Spam Bungeecord Support, Ultimate Leveling, Anti Redstone Crash
Hydration, Fragment Permission Plugin, No VPNS, Ultimate Titles Animations Gradient RGB, and Floating Damage.
However, with “only four of the major antivirus engines” detecting the malware, it’s difficult to know exactly how many mods have been affected.
In a Wednesday Twitter thread, CurseForge officials acknowledged that a “malicious user has created several accounts and uploaded projects containing malware to the platform.”
The officials went on to say that a user belonging to mod developer Luna Pixel Studios was also hacked and the account was used to upload similar malware.
We have banned all accounts relevant to this and disabled the LPS one as well. We are in direct contact with the LPS team to help them restore their access. >>
— CurseForge (@CurseForge) June 7, 2023
What is Fracturiser? The Malware Compromising Minecraft Modes
Fracturiser, the malware responsible, runs on Windows and Linux systems and is delivered in stages initiated by Stage 0, which begins once one of the infected mods is run.
Each stage downloads files from a command-and-control server and then calls for the next stage. Stage 3, the final stage, creates folders and scripts, makes changes to the system registry, and steals login information for multiple web browsers.
It also replaces cryptocurrency addresses in the clipboard with alternate ones and steals Discord, Microsoft, and Minecraft credentials.
For those who want to manually check their systems for signs of infection, Linux users should look for “/.config/.data/lib.jar”, while Windows users should check for “%LOCALAPPDATA%\Microsoft Edge\libWebGL64.jar” (or “\AppData\Local\Microsoft Edge\libWebGL64.jar”), and make sure to show hidden files when checking.
- Coders Built a ChatGPT Minecraft Bot With ChatGPT
- Best AI Stocks to Invest in 2023
- Best AI Crypto Tokens & Projects to Invest in 2023
What's the Best Crypto to Buy Now?
- B2C Listed the Top Rated Cryptocurrencies for 2023
- Get Early Access to Presales & Private Sales
- KYC Verified & Audited, Public Teams
- Most Voted for Tokens on CoinSniper
- Upcoming Listings on Exchanges, NFT Drops