A platform that provides plugin software for the hugely popular Minecraft game is advising users to stop downloading or updating mods immediately after discovering malware was injected into dozens of listings available online.
The mod developer accounts were hosted by CurseForge, a platform that hosts accounts and forums related to add-on software called mods or plugins that expand the possibilities of the standalone Minecraft game. Some of the malicious files used in the attack date back to mid-April, a sign that account compromise has been active for weeks. Bukkit.org, a developer platform powered by CurseForge, is also believed to be affected.
Frakturier infects Windows and Linux systems
“A number of Curseforge and dev.bukkit.org accounts (not the Bukkit software itself) were compromised, and malware was planted in copies of many popular plugins and mods,” players wrote in a forum dedicated to discussing the event . “Some of these malicious copies have been planted in popular modpacks, including Better Minecraft. There were reports of malicious plugin/mod JARs as early as mid-April.”
One of the hacked accounts belongs to Prism Launcher, the maker of an open-source Minecraft launcher. Prism Launcher officials described the infections as “widespread” and listed the following mods as affected:
Dungeons Arise Sky Villages Better MC Modpack Series Dungeonz Skyblock Core Vault Integrations AutoBroadcast Museum Curator Advanced Vault Integrations Bug Fixes Create Infernal Expansion Plus – mod removed from CurseForge
View Entity Editor Haven Elytra The Nexus Event Custom Entity Editor Easy Harvesting MCBounties Easy Custom Food Anti-Command Spam Bungeecord Support Ultimate Leveling Anti-Redstone Crash Hydration Fragment Permissions Plugin No VPNS Ultimate Title Animations Gradient RGB Floating Damage Ads
Participants who posted on the forum said that the malware used in the attack, called Fracturiser, runs on Windows and Linux systems. Deployment occurs in phases initiated by Phase 0, which begins as soon as someone runs one of the infected mods. Each stage downloads files from a command and control server and then invokes the next stage. Stage 3, probably the last stage in the sequence, creates folders and scripts, makes changes to the system registry, and then runs:
Spreads to all JAR (Java archive) files in the file system and potentially allows Fracturiser to infect other mods not downloaded from CurseForge or BukkitDev. Steal cookies and credentials for multiple web browsers. Replace cryptocurrency addresses on the clipboard with alternative ones. Discord steal credentials Steal Microsoft and Minecraft credentials
According to examples of the malware posted here and here on VirusTotal, as of 10:45 AM CA time, only four of the major antivirus engines detect Fracturiser. Forum participants said that people who want to manually check their systems for signs of infection should look out for the following:
Linux: ~/.config/.data/lib.jar Windows: %LOCALAPPDATA%\Microsoft Edge\libWebGL64.jar (or ~\AppData\Local\Microsoft Edge\libWebGL64.jar) Make sure hidden files are shown, if you mark Yes. “Microsoft Edge” with a space. MicrosoftEdge is the legitimate directory used by the actual Edge. Also check the registry for an entry under HKEY_CURRENT_USER:\Software\Microsoft\Windows\CurrentVersion\Run or a shortcut in %appdata%\Microsoft\Windows\Start Menu\Programs\Startup. All other operating systems: Not affected. The malware is hard-coded for Windows and Linux only. It’s possible that it will receive an update in the future that will add payloads for other operating systems.
People investigating the incident have provided scripts here to help locate these files. CurseForge provides a disinfection guide here.
Taking to social media, CurseForge officials said that a “malicious user created multiple accounts and uploaded projects containing malware to the platform.” The officials further said that a user of mod developer Luna Pixel Studios was also hacked and the account was used to upload similar malware.
In an update that CurseForge officials sent out via a Discord channel, they wrote:
A malicious user created multiple accounts and uploaded projects containing malware to the platform. Also, a Luna Pixel Studios (LPS) user was hacked and used to upload similar malware. We have blocked all relevant accounts in this regard and also disabled the LPS account. We are in direct contact with the LPS team to help them recover their access. We are in the process of going through ALL new projects and files to ensure your safety. Of course, we are holding the approval process for all new files until the issue is resolved. Deleting your CF client is not a recommended solution as it will not resolve the issue and will prevent us from providing a fix. We’re working on a tool to make sure you don’t hear about it. In the meantime, note the information published under #current-issues. This is ONLY relevant for Minecraft users. To be clear: CurseForge is not compromised! No administrator account was hacked.
We are working to ensure the platform remains a safe place to download and share mods. Thanks to all the authors and users who help us to highlight. Thank you for your cooperation and patience ❤️
In an online interview, an official at Luna Pixel Studio wrote:
Basically, our modpack developer installed a malicious mod from the last updated section in the Curseforge Launcher. He wanted to test whether adding the new modpack update was worthwhile, but since it was approved by Curseforge it was overlooked. After we launched the modpack we didn’t want it so we removed it, but by that time it was too late and the malware had already started at level 0.
Everything seemed fine until the next day, and then projects on Curseforge from the LunaPixelStudios accounts started uploading files and then archiving them. We first became aware of this because a user asked for a changelog for one of the mods, but we never updated it so we checked it out. From there we contacted a lot of people who did a great job to stop it. Overall, not many seem to be affected, but malicious mods dating back to 2023 are suspected to have been found.
This is a groundbreaking story. More details will be added as needed.