Minecraft: malware discovered in mods on CurseForge and Bukkit

The Minecraft modding community has been rocked by an alarming discovery: malware has been detected in several popular mods on the CurseForge and Bukkit platforms. This has caused great concern among users, as the malware appears to have been in circulation for several months, affecting both Windows and Linux users.

The ‘fractureiser’ malware

The malware, named “fractureiser”, was discovered in various projects on CurseForge. It spreads in three stages, with infected mod files acting as “stage 0”. The final “stage 3” of the malware is capable of stealing user credentials and propagating to all jar files on the file system, which could potentially allow it to infect other mods not downloaded from CurseForge. It is therefore advisable to avoid playing Minecraft, especially with mods, to prevent the spread of this malware.

We are looking into an incident where a malicious user uploaded projects to the platform. This is relevant only to Minecraft users and we have banned all accounts involved.

CurseForge itself is not compromised in any way! Please follow the thread below for more information 👇

— CurseForge (@CurseForge) June 7, 2023

How do I know if I’m infected?

In response to this threat, the CurseForge team has suspended its file approval process and banned accounts involved in the spread of the malware. In addition, in collaboration with the author community, CurseForge has launched an in-depth investigation to quickly resolve this issue and implement preventative measures for the future. A detection tool has been made available to help users identify whether their computer has been infected. If the tool detects an infection, it provides a list of detected files which the user can then delete.

Further information and security recommendations

According to the PrismLauncher website, it is possible that the malware is a security vulnerability in the Overwolf platform itself. In addition, the malware appears to be capable of replicating itself, reinforcing the recommendation to avoid playing Minecraft for the time being.

It is also recommended not to download or update mods from CurseForge and Bukkit for the time being. Automated scripts for Windows and Linux have been made available to help quickly check whether malicious files exist on your system.

It’s important to note that even if you remove these files, it doesn’t mean you’re completely safe. It’s possible that other, more advanced malware is in circulation. In addition, it has been discovered that the virus is most likely extracting Microsoft credentials and passwords stored in the browser. It is therefore strongly recommended to change all your passwords after removing the virus.

Infected projects now fixed :

Most LunaPixelStudios projects – It’s advisable to make sure you have the latest version of any modpacks, as the necessary patches should already be available for these modpacks, and the infected files removed.

• Buried Barrels
• Sky Villages [Forge/Fabric]
• Simply Houses
• When Dungeons Arise -Forge/Fabric
• Skyblock Core
• Prominence [FORGE]
• Medieval MC [FORGE] – MMC3
• Better MC [FORGE] – BMC3

Projects that are infected and permanently disabled:

1. Golem Awakening
2. Phanerozoic Worlds
3. Autobroadcast
4. Museum Curator Advanced
5. Vault Integrations (Bug Fix) *Note – Not the Modpack Vault Integrations
6. AmazingTitles
7. dungeonx * Note – Not DungeonZ
8. HavenElytra
9. DisplayEntityEditor
10. The Nexus Event Custom Event
11. SimpleHarvesting
12. McBounties
13. More and Ore advanced
14. Easy Custom Foods
15. AntiCommandSpam Bungeecord Support
16. UltimateLevels
17. AntiRedstoneCrash
18. hydrationPlugin
19. NoVPN
20. Fragment Permission Plugin
21. Anti ChatReport
22. Additional Weapons+
23. UVision ENHANCED(server pack only)
24. UVision Server(server pack only)
25. UVision LITE (server pack only)
26. Create: Diesel and Oil Generators
27. Ultra Swords Mod
28. Simple Frames
29. AntiCrashXXL
30. Skelegram – The Skript Telegram Addon!

Questions and answers

Have Curseforge accounts been compromised?

Malicious accounts have been created and downloaded infected projects. These have been deleted and the accounts banned.

How many users were affected?

We now know that the infected files were downloaded around 6,000 times (not unique) over the course of the infection. To put this in perspective, this represents around 0.015% of daily Minecraft downloads by CurseForge.

Can I play modified versions of Minecraft?

If you haven’t downloaded any of the projects listed above, you can play safely. If you still want to check your files or use mods outside the platform, make sure you follow and complete the steps below before playing with mods.