The Minecraft modding community has been rocked by an alarming discovery: malware has been detected in several popular mods on the CurseForge and Bukkit platforms. This has caused great concern among users, as the malware appears to have been in circulation for several months, affecting both Windows and Linux users.
The ‘fractureiser’ malware
The malware, named “fractureiser”, was discovered in various projects on CurseForge. It spreads in three stages, with infected mod files acting as “stage 0”. The final “stage 3” of the malware is capable of stealing user credentials and propagating to all jar files on the file system, which could potentially allow it to infect other mods not downloaded from CurseForge. It is therefore advisable to avoid playing Minecraft, especially with mods, to prevent the spread of this malware.
How do I know if I’m infected?
In response to this threat, the CurseForge team has suspended its file approval process and banned accounts involved in the spread of the malware. In addition, in collaboration with the author community, CurseForge has launched an in-depth investigation to quickly resolve this issue and implement preventative measures for the future. A detection tool has been made available to help users identify whether their computer has been infected. If the tool detects an infection, it provides a list of detected files which the user can then delete.
Further information and security recommendations
According to the PrismLauncher website, it is possible that the malware is a security vulnerability in the Overwolf platform itself. In addition, the malware appears to be capable of replicating itself, reinforcing the recommendation to avoid playing Minecraft for the time being.
It is also recommended not to download or update mods from CurseForge and Bukkit for the time being. Automated scripts for Windows and Linux have been made available to help quickly check whether malicious files exist on your system.
It’s important to note that even if you remove these files, it doesn’t mean you’re completely safe. It’s possible that other, more advanced malware is in circulation. In addition, it has been discovered that the virus is most likely extracting Microsoft credentials and passwords stored in the browser. It is therefore strongly recommended to change all your passwords after removing the virus.
Infected projects now fixed :
Most LunaPixelStudios projects – It’s advisable to make sure you have the latest version of any modpacks, as the necessary patches should already be available for these modpacks, and the infected files removed.
- Buried Barrels
- Sky Villages [Forge/Fabric]
- Simply Houses
- When Dungeons Arise -Forge/Fabric
- Skyblock Core
- Prominence [FORGE]
- Medieval MC [FORGE] – MMC3
- Better MC [FORGE] – BMC3
Projects that are infected and permanently disabled:
- Golem Awakening
- Phanerozoic Worlds
- Museum Curator Advanced
- Vault Integrations (Bug Fix) *Note – Not the Modpack Vault Integrations
- dungeonx * Note – Not DungeonZ
- The Nexus Event Custom Event
- More and Ore advanced
- Easy Custom Foods
- AntiCommandSpam Bungeecord Support
- Fragment Permission Plugin
- Anti ChatReport
- Additional Weapons+
- UVision ENHANCED(server pack only)
- UVision Server(server pack only)
- UVision LITE (server pack only)
- Create: Diesel and Oil Generators
- Ultra Swords Mod
- Simple Frames
- Skelegram – The Skript Telegram Addon!
Questions and answers
Have Curseforge accounts been compromised?
Malicious accounts have been created and downloaded infected projects. These have been deleted and the accounts banned.
How many users were affected?
We now know that the infected files were downloaded around 6,000 times (not unique) over the course of the infection. To put this in perspective, this represents around 0.015% of daily Minecraft downloads by CurseForge.
Can I play modified versions of Minecraft?
If you haven’t downloaded any of the projects listed above, you can play safely. If you still want to check your files or use mods outside the platform, make sure you follow and complete the steps below before playing with mods.