Check out our Monthly Survey Page to see what our users are running.
We do often include affiliate links to earn us some pennies. See more here.

CurseForge and Bukkit get hit with malware for Minecraft mods

By - | Views: 25,072

Just a bit of a PSA here for anyone diving into Minecraft modding, as recently there's been a problem on both CurseForge and Bukkit with malware.

There's been a lot of reports on this and the situation has been moving pretty quickly, but for now you should stay away from downloading any Minecraft mods from both platforms. The issue affects both Windows and Linux.

From the report on hackmd and the Prism Launcher post that references it, it seems a bunch of compromised accounts were used to update quite a number of popular mods to insert malicious files. According to the report the issue goes back multiple months, so it's not exactly clear just how wide-spread it truly is and work is ongoing by many people to figure it all out.

This malware seems to work across multiple stages, and both links above show you how you can check to see if you've been affected, which needs you to go hunting in a few places because it will make new files and folders on your system. However, if you were using the Prism Launcher via Flatpak on Linux the malware likely would have failed to work due to the sandboxing. Either way, checking is a good idea.

For a good place to download mods you can look to Modrinth and the Prism Launcher.

If you need a Steam Deck guide for Minecraft check out this article.

Article taken from GamingOnLinux.com.
Tags: Security, Misc, Mod
15 Likes
About the author -
author picture
I am the owner of GamingOnLinux. After discovering Linux back in the days of Mandrake in 2003, I constantly came back to check on the progress of Linux until Ubuntu appeared on the scene and it helped me to really love it. You can reach me easily by emailing GamingOnLinux directly. Find me on Mastodon.
See more from me
10 comments

Wypman Jun 7, 2023
if i play on the vanilla launcher, am i still at risk? or is this only affecting modded players
Kithop Jun 7, 2023
Quoting: Wypmanif i play on the vanilla launcher, am i still at risk? or is this only affecting modded players

This sounds like it's specific to mods on those platforms; vanilla should be unaffected as there's no word of any sort of related compromise on the Microsoft / Mojang side.

That said, I was having issues with their authentication service last night so I'm not sure if they're aware and potentially taking things offline temporarily to audit them or not. Safest is always 'not to play at all until everyone gives the all-clear', but personally I think the risk is minimal if you're just on vanilla with the official launcher.
TrainDoc Jun 7, 2023
Quoting: Kithop
Quoting: Wypmanif i play on the vanilla launcher, am i still at risk? or is this only affecting modded players

This sounds like it's specific to mods on those platforms; vanilla should be unaffected as there's no word of any sort of related compromise on the Microsoft / Mojang side.

That said, I was having issues with their authentication service last night so I'm not sure if they're aware and potentially taking things offline temporarily to audit them or not. Safest is always 'not to play at all until everyone gives the all-clear', but personally I think the risk is minimal if you're just on vanilla with the official launcher.

To clarify, a part in this malware attempts to infect any jar files it can find. If you've never downloaded Minecraft mods before you should be fine but the actual original vector cannot be determined as it could have come from anything targeting jar files. It still does seem likely this was targeting the Minecraft modding community though.
Lofty Jun 7, 2023
QuoteHowever, if you were using the Prism Launcher via Flatpak on Linux the malware likely would have failed to work due to the sandboxing

As much as people like to harp on about the size of flatpak / snap and their failings vs regular packaging methods. It's nice when we get to appreciate the positive sides of application sandboxing and even as per the recent article, new technologies like immutable file-systems.






btw as a reminder don't forget you can further restrict flatpak's with flatseal and should someone argue that even flatpaks can be compromised, as an example i am using my password manager inside a flatpak + i have network functionality + external device access turned off for it too.

https://flathub.org/apps/com.github.tchx84.Flatseal


Last edited by Lofty on 7 June 2023 at 5:59 pm UTC
Klaas Jun 7, 2023
Quoting: Loftyas an example i am using my password manager inside a flatpak + i have network functionality + external device access turned off for it too
What does that do? Where does it store the sensible data? How does the flatpak partial sandbox protect the passwords from getting stolen during usage?

The sandbox can potentially (!) protect the host from something inside a flatpak but not the other way around.
Lofty Jun 7, 2023
Quoting: Klaas
Quoting: Loftyas an example i am using my password manager inside a flatpak + i have network functionality + external device access turned off for it too
What does that do? Where does it store the sensible data? How does the flatpak partial sandbox protect the passwords from getting stolen during usage?

The sandbox can potentially (!) protect the host from something inside a flatpak but not the other way around.

maybe im too paranoid or looking at this from the wrong angle then 🤔️. My (admittedly, probably wrong) thinking would be that whilst my application which has browser integration and various network agents running is open and my computer is connected to the internet, turning of the ability for the application to be able to even be accessed by network traffic would help.

i guess im wrong but then il still do it because it makes me feel good


Last edited by Lofty on 7 June 2023 at 8:10 pm UTC
RTheren Jun 7, 2023
Vault Hunters 3 modpack (update 10 and 10.1) are safe, just did some forensics on my own server.
Philadelphus Jun 7, 2023
To save a few clicks, according to the hackmd post in the article you can check if a Linux system has been infected by looking for the presence of the file "~/.config/.data/lib.jar". Normally "~/.config/.data" isn't used, so its presence is a pretty good indicator of being hit (and its absence likewise suggests you're fine).

I created a new FTB server on April 22 and it appears to be OK, thankfully.
Termy Jun 8, 2023
Quoting: Loftybtw as a reminder don't forget you can further restrict flatpak's with flatseal

I really like Flatpak for exactly the reason that it makes sandboxing stuff (especially proprietary things like games, but of course other things, too) so easy and convenient.
BUT i would almost go as far as not saying 'you CAN further restrict' but to say 'you SHOULD look into flatseal (or the like).
It's not as common as some flatpak-critiques make it sound, but there are indeed more than enough apps that just request full access to the filesystem or the home directory - so checking and adjusting (at least!) file access after installation is almost a must in my eyes!


Last edited by Termy on 8 June 2023 at 7:28 am UTC
Klaas Jun 10, 2023
Quoting: Loftyturning of the ability for the application to be able to even be accessed by network traffic would help.
Sorry for the late response.

I don't want to discourage you, but I want to point out that it is better not to feel too safe due to some promise of sandboxing.
While you're here, please consider supporting GamingOnLinux on:

Reward Tiers: Patreon. Plain Donations: PayPal.

This ensures all of our main content remains totally free for everyone! Patreon supporters can also remove all adverts and sponsors! Supporting us helps bring good, fresh content. Without your continued support, we simply could not continue!

You can find even more ways to support us on this dedicated page any time. If you already are, thank you!
Login / Register


Or login with...
Sign in with Steam Sign in with Google
Social logins require cookies to stay logged in.