Share this article on:
Hackers have made use of two popular Minecraft modpack installers as vessels for delivering malware to unsuspecting gamers.
Players downloading and managing mods and modpacks from the CurseForge and Bukkit modpacks are at risk of accidentally installing a worm virus known as Fractureiser.
According to a report from Prism Launcher, attacks gained access to a number of CurseForge and Bukkit accounts, which then allowed them to embed malicious within mods that had been uploaded by the platforms. These mods were then adopted by larger modpacks, and downloaded by unsuspecting users.
“Multiple groups are reporting many CurseForge and Bukkit projects as compromised. Malware has been uploaded to several projects, and it’s now known that the virus is self-replicating and spreading,” said Prism Launcher.
While it is unknown how many people have been affected by the attack, just one of the modpacks, “Better Minecraft”, has been downloaded 4.6 million times.
CurseForge took to Twitter to announce the incident, clarifying that CurseForge itself was not hacked and that the incident was isolated to Minecraft modpacks.
We are looking into an incident where a malicious user uploaded projects to the platform. This is relevant only to Minecraft users and we have banned all accounts involved.
— CurseForge (@CurseForge) June 7, 2023
CurseForge itself is not compromised in any way! Please follow the thread below for more information ?
It also said that it has banned all accounts connected to the issue, and that it is currently sifting through relevant files and “deploying more security measures.”
In addition, it has released a Detector Tool that allows users to scan modpacks before running them.
CurseForge has advised users not to uninstall the client, as this could prevent it from installing a fix.
Minecraft modding studio Luna Pixel Studios trialled an infected mod and said that it resulted in a supply chain compromise that spread to its modpacks.
In addition, another modpack developer, Violet Moon, has conducted an investigation into Fractureiser, calling it “INCREDIBLY DANGEROUS”.
We have finished rewriting the fractureiser virus document into a more concise and readable repository for users.
— Violet Moon (@VazkiiMods) June 7, 2023
If you a Modded Minecraft player and are concerned about the virus and want to know what to do, please read:https://t.co/sMF4N6xM1G
(RT appreciated ty) pic.twitter.com/Jv6HwHeL0e
According to GitHub researchers, the malware is capable of stealing cookies, stealing Minecraft, Discord and Microsoft account credentials, replacing cryptocurrency wallet addresses cached in the device’s clipboard and self-propagating to all .jar files.
In addition, the malware will also run a script on Windows start-up that will install Java if it isn’t installed already, which will, in short, allow it to deploy malware updates.