I've been @'d

ye cuz you'll be able to explain to darkhai better xp

they're asking if they need to change passwords

Can't really relay Curseforge's mod team on this

#🆘︱current-issues🆘 and #📢︱news

Alright let see what to do windows defender offline scan and take my pc off the Internet completely can’t have my data if you can’t receive the data

Quick question would windows defender offline scan work

I don't know the issue on a code level well enough to say one way or the other. Curseforge devs just waking up on their timezone and investigating. updates will be posted in the channels NLK linked above

Alright

it probably doen'st hurt to give your computer a scan anyway 😄 lol

waits for it

We’ll of course sounds like a excuse to break into peoples houses and install mcaffee

For minecraft server packs on version 1.12 do you usually use java 8 or java 11?

!mc-java

Sup

HKCU:\Software\Microsoft\Windows\CurrentVersion\Run

So i just went here to check for this registery

What should i be looking for

This is to do with the recent hacking

a file named "t" i believe

some dude made a script in one of the articles, and thats the file name it searches for in there

Thought curse forge was safe 😔

tbh, it's really hard to be 100% safe from anything.

True

Being 100% safe online is impossible anyways so was only a matter of time

Microsoft Edge i believe

its trying to appear legit but (it isnt)

this is the windows registery

huh

😱

wat wat

a file in the windows registery

what did i say wrong?

you mean its there for you?

I dont think there is files in anyones registery lol

oh

then why was there a check for it?

Also check the registry for an entry at HKEY_CURRENT_USER:\Software\Microsoft\Windows\CurrentVersion\Run

Im so confusled

first time on a puter?

no, first time in the registry tho

i only just got cursed

now its this

O_O

lives up to its name

lol

it looks like im all clean

but who knows

Will I be fine if I updated the mods but I didn't play on it?

im not sure

Was told that curseforge was hacked, is it true?

yea

https://prismlauncher.org/news/cf-compromised-alert/

here is how you can check

Thank you

Id probably delete it for now completely

Dungeons Arise
Sky Villages
Better MC modpack series
Fabuously Optimized (Found to not be compromised)
Dungeonz
Skyblock Core
Vault Integrations
AutoBroadcast
Museum Curator Advanced
Vault Integrations Bug fix
Create Infernal Expansion Plus - Mod removed from curseforge

here is a list of effected mods

Thanks

Pixelmon wasn't hacked?

suprising

You can check the mod list from the text file in the mod pack

wdym?

Ohh

okay

i see

ty

dont run the games'

updates when CF has something to say about will be in #📢︱news and #🆘︱current-issues🆘

are there people currently working on resolving it?

and have the mods been removed from the app?

how do I enabel this?

or disable sry

i don't see it via view

yes there are people looking into this right now taking their first sips of morning coffee

I need this too

no rush its only all users computers

Cut here to activate firewall

Cat-5 cable

^

also i dont' see my windows explorer file

or microsft explorer

so i ran the powershell file and it said nothing here am i safe?

ah wait nvm

i just ran the file

or code ig

Bru

h

oof that's all the formatting that thing has?

rough lol

my god im a schizo im reformatting my machine now

hi I wanted to ask kindly if someone could help me with this problem that I was presented this morning, where comes this smootstraps that you have to update but tells me that it is impossible to update the native launcher of minecraft, gives me this problem on every modpack , I tried to dinstallare and reinstall curseforge and nothing I would not know what I could do someone can help me thanks.

dont install anything brudda

Would recommend to install nothing atm until the issue is solved

yeah leave it alone until all of this malware stuff is resolved

There is no warning at all in the launcher

ok thanks

hi i had this issue this morning. Normally there was nothing wrong with modpack i was playing normally. When i click "view crash report" nothing shows up.

here also entire mod pack

imagine all the children around the country installing modded minecraft onto their parents computers

amigos i have a problem with a mod

owo

delete

all of the ppl who have their accounts leaked...

and all of the ass beatings those kids will get...

i dont think you got one with it

also setup a firewall to the server if you arent doing a hard restart

i didnt understand

wdym a hard restart

don't mess with any mods rn

reinstalling the os

shiiiii

eh

i ran the check

(s)

im fine!

maybe

from this list

Dungeons Arise
Sky Villages
Better MC modpack series
Fabuously Optimized (Found to not be compromised)
Dungeonz
Skyblock Core
Vault Integrations
AutoBroadcast
Museum Curator Advanced
Vault Integrations Bug fix
Create Infernal Expansion Plus - Mod removed from curseforge

@vernal holly check you dont have any of these

these are malwared mods?

yea

ok thanks

all except the one that is said to not be

oh good i don't have any of those

still check
Windows: %LOCALAPPDATA%\Microsoft Edge\libWebGL64.jar (or ~\AppData\Local\Microsoft Edge\libWebGL64.jar)

Yes, "Microsoft Edge" with a space
Also check the registry for an entry at HKCU:\Software\Microsoft\Windows\CurrentVersion\Run
Or a shortcut in %appdata%\Microsoft\Windows\Start Menu\Programs\Startup

wait whats going on

there is malware that got put in a few mods on curseforge rn

well fuck.

1 of them is dungeon's arise like what the fuck

yea apparently some of the accounts for the administration of curse have been compromised

or the mod owners or something

but there has been another hack like this recently for java idk why they keep attacking minecraft lol

Afaik only one account (the lunpixel mascot account) has been compromised

the last one was Log4j, which affected a multitude of programs. Minecraft just happened to be one of them

yea

still not cool tho

Should I have any concerns about CurseForge updating my addons for WoW? A lot of streamers saying I shouldn’t be using it atm.

It doesnt seem like WoW is affected rn

only minecraft

To be safe, should I just … not?

i cut it close with the whole malware thing because in my modpack i downloaded dungeon's arise like a week ago and i deleted right after this stuff was announced

there is always going to be a chance of downloading malware from anywhere on the internet
at the moment i would say that chance isnt much higher than normal for CF hosted WoW addons

does curseforge not check for malicious code?

or did it get past?

there is a system for checking. obviously this seems like to be one that got through

does that mean i hav eit?

if I already Downloaded mods are they safe

just copy and paste this into directory

HKCU:\Software\Microsoft\Windows\CurrentVersion\Run

oh wait

nah

No, you're safe.

thanks, now to worry about my main machine

i tried checking if i was compromised or not but after i changed to view hidden files i got the blue screen of death

Wait which mods? Also, I noticed a mod I hadnt installed was on there

It was like crystals and end mod or something

Or colorprism or something

It worked, I just have a error on the server but i didn’t have the time to look for it

Does the power shell script that scans for the malware automatically scan through hidden files?

it should

It does, as it checks specific paths, and that doesn't care about if files are hidden. If there's a file at that path, it will show up in the script.

The hidden flag just makes it harder for people to see it in Explorer, unless they show hidden files

Alr thanks

Its also marked as a system file, which is a seperate visiblity setting

Plugins like display entity editor @upper root ?

nope, its improving
no one new should be able to get affected cause the places that host the next stages are down

W

iv tryed useing the unlock thing but is still not working

that is on my list of affected things

So is that a plugin or mod

plugin

These are server plugins?

Or like client

some plugins and some mods were uploaded with malware in them

so both

Well shit what about the servers effected

Any that have the plugin installed

im just going to play none modded minecft for a bit tbh

All of this is happening right after I told my friend curse forge was safe to use also lol. I know it's not their fault but I feel terrible for it

xd

I just installed today lol I didn't trust modded Minecraft before but I decided to do it cause my friend wanted me to

i downloaded the CRIF modpack like immediately before this all came out but never actually opened the modpack through curseforge, and i checked my computer for all the malicious files and found nothing. i should be good right?

yea you should be if the files not in there

just dont use cursefore

for like a while

yeah im leaving it alone for a good while

can someone explain me or link me this if not already asked: if I have minecraft mods, do I just dont update them but I can update my WoW addons? I dont quite understand the "This is relevant ONLY to Minecraft users" in news

its only effected minecraft mods/modpacks as of right now so WoW addons are good

and yes dont update mc mods

coolio

ty

how to get rid of malware?

#🆘︱current-issues🆘

Oh thx

So It detected a bad path i believe, what action do I take from here?

the prism one?

yup

so

whatever path it has here -> "bad file found! please delete $path" copy that path and delete

but I would just follow the prism guide

it shows you how to do it that way Idont have to re-explain here lol

i need help

does modpack mods update by itself?

no

well, there is one that is known to (essential) but it doesnt seem to be compromised

i have fabolously optimized and kinda scared

FO is fine

it wasnt actually infected

i downloaded that 2 months ago

doubly fine then

I dont have a "microsoft edge" folder in my %localappdata% so im good?

should be

thanks man i almost had a heart attack when i saw the news

i also checked i dont have that either

says it doesn't recognize the term ' bad '

C:\WINDOWS\system32> ForEach ($Path in $badPaths) {

    if (Test-Path -Path $Path) {
            Write-Host "bad file found! removing $Path..."
            Remove-Item -Force $Path
            $res = $true

This also popped up am I good, I'm so confused. I never do any code things

Make sure to make hidden files visible and for windows also disable Hide protected operating system files

I have done this

I wonder if Microsoft Edge is two words for you

You should actually have it

I dont even have that folder at all

not even one word

You know that's odd, I actually don't have it

Or at least can't find it

I don't have the oneworded one either, but I opened edge todat (Accidentally) but still

today

I have microsoft\edge but no "Microsoft Edge"

so the game isn't safe to play with curse forge mods for a while?

you can use the script done in a different format that I posted in #🧱︱mc-other-help pins for this purpose

Try %appdata%\Microsoft\Windows\Start Menu\Programs\Startup maybe

Idk if that's supposed to be it

Actually no that's something else

Tried that did not work, everything spammed red and it refused every line. basically saying valid statement, I might actually be okay IDK though and IDK how I would fix it.

sounds like your system's powershell and CMD functions are broken

You could try clicking this pc and search for microsoft edge as two seperate words, for me it's loading up but I think I may have found it

Well that's not good

Actually I didn't

uh, should I do something do you need me on a call or something?

how do I check if my computer is compromised or not ?

there is a script in the link in #🆘︱current-issues🆘 or one pinned in #🧱︱mc-other-help

thanks

if you run the script and you're gucci are you ok to play minecraft?

yes, but it may be worth not doing anything mc related for a day or two till this blows over completely

ok, thank you!

So is the bad file just called libWebGL64.jar?

there are a few bad files, but that is one of the main ones

the script in the link in #🆘︱current-issues🆘 and pinned in #🧱︱mc-other-help check for all the known ones

okay when I will be back home I'll test the .BAT

I am finding this one other search software called "everything"

I am just going to go down that list and see if I find it

Honestly, with this all being done, I think it would be worthy to consider adding an update history feature so we can see what mods we updated in what order and when

Then we could also roll back from there

until that you can sort / view file timestamps in OS file browser (go to profile options > open folder > mods folder)

I thought someone said if you have it that it can try to copy itself places

it is the same place for all launchers, the scripts linked in places check those places

I don't know if Curseforge is a US based platform, but even if it's not I think you can report the malware to the CISA and explain what was going on

I don't know if they would resolve the issue but I think they would try to eventually find out who did it

us is israel based

I wonder if they'd still try anyway, since it has for sure impacted US citizens

I'm sure Israel may have an equivalent if anything

That might be more up to whoever actually owns/runs curseforge though

I am sure they have a better understanding of the situation

i expect if such a report is useful microsoft has already done it

If they know about it

If you're talking about getting the criminal charges rolling though it's better to just report to any government organizations you can

Reporting to companies gets it lost in "policies"

Does Curse forge auto update minecraft modpacks?

when i try to launch curseforge on minecraft i get a "error code 1", i have tried to launch curseforge without mods, and i have tried reinstalling. But nothing seems to work, how do i fix this issue? Could it perhabs be with java or overwolf?

no

ok cool thank you

Does virus only affect modpacks or individual mods too?

its only found in mod jars

but modpacks are made of mod jars

it impacts modpacks through infecting mods in the packs.

SO i did that run command it suggests what am i actually looking for?

İ installed inventory profile next a week ago

İ didn't find anything related to malware

So if you can't find any file your fine right?

I havent booted curseforge for like 2 days now?

IS this file anything to worry about?

Nope.

I have so many of those files

So the script didn't find anything nor could i find anything by hand, plus I haven't booted curseforge in like 4 weeks, I should be save, I hope

Hi, when i try to launch curseforge i get a "error code 1", i have tried to launch curseforge without mods, and i have tried reinstalling. But nothing seems to work, how do i fix this issue? Could it perhabs be with java or overwolf?

I would suggest not touching curseforge for the next while

would running/launching a modpack still be alr? i havent updated the pack in months

Hey, pls send a launcherlog in #🧱︱mc-other-help

Then should be all fine, its also depends on which modpack bec only some mods are affected of the issue

anyone know if anything in bigchadguys modpack is infected ?

Have any shaders been effected?

better ask the author himself, I can look later in the modlist too but im only on phone right now

nope

i can send you screenshots if you want

of the mods

Alright thanks, I think I’ve only downloaded shaders in the past few weeks

valhelsia 5

everything that is known is here: https://hackmd.io/@jaskarth4/B1gaTOaU2 the technical info lists items known to be infected. but any mod could be

my advice, if you've downloaded any mods in the past four months, run the check, if it finds anything, wipe your harddrive and do a fresh OS install. if not, don't touch mc for now and keep your eyes out for updates

uh better ask the author, but its maybe affected

no clue on how to do the regsitry thing, but as far as the "microsoft Edge" with a space folder, its not there

yes i checked view hidden files n jazz

When nothing appears it seems to be fine, are you using windows?

yeap

Would be nice, but I can only compare it later when im on a pc

You can also look into the pinned messages, there is a bat script which does the same it is easier to handle

here: #🧱︱mc-other-help message

What is desktop.ini and where did it come from

its from windows normal invisible file

Alright

you can google it too

How do I know that that powershell method is trustable

bec we say its trustable xD

It's just checking for specific files to make sure they don't exist

also many user already done it^^

The existence of the files means you're infected

did it, says nothing found

Not sure if this has been answered, but have there been any sightings of 1.12.2 being affected?

then you are fine

cool

Im general 1.16.5 + is affected known, we dont know any 1.12.2 malware for now

Im also not confident with the issue, but I will make later a list and also try to help a bit more

Thank you :) Still gonna run checks tho

Guys hello, should I uninstall forge completely or just delete the mods I have and check with the script if I have the malware?

announcements says no, just be patient and dont touch minecraft for the time being

You dont need to uninstall forge, only check the malware with the script and dont update any mods for now.
We (or better named the cf team not me haha) are working for fixes right now

I know its in the announcement but id still like to be reassured if we are 100% that this only affects MC and not WoW?

how does one download the bat script

you are helping to fix the community chaos, that counts too!

yep only minecraft mods, no wow - if i have new news I will send them to you

they didnt code it into a bat file... just right click and run in powershell if ur on windows

im on java

i mean mac-

im not sure if they are infecting mac users...

it said its primarily for java users but im really not sure

Briar coded it into a bat file I think #🧱︱mc-other-help message

theres no file to click or download there

as far as we know, MAC users are fine

hm ok thanks

yep mac is fine

so what i need to do

we still don't have a full understanding of the malware, staying away from mc even on mac might still be a good idea

everything that is known is here: https://hackmd.io/@jaskarth4/B1gaTOaU2 the technical info lists items known to be infected. but any mod could be

my advice, if you've downloaded any mods in the past four months, run the check, if it finds anything, wipe your harddrive and do a fresh OS install. if not, don't touch mc for now and keep your eyes out for updates

could there be a delay? with the malwearinstall?

i installed a modpack like a few days ago

tho i did the check and it didnt find annything

does the script only look for infected mods?

or does it also check the malware on how and where its installing and stuff?

the script looks for where the infected mods might inject malware.

okay

than back to my first question

could there be a delay?

yes

so doing the check now does not realy say much?

we can at least boot curseforge and look at mods list right?

as long as we dont download anythin we fine?

there isnt a delay the malware injects itself right when u run the mod or download it iirc.

okay

there should honestly be a faq

than i guess im fine

there should yes

maybe there busy making one now

who know

knows*

FAQ:
Q: Are we fucked?
A: Yes.

lmao

its still pretty new so theyre working on it. Its also like the middle of the night early morning on a weekday.

most people dont read FAQ anyways...

its funny but also not funny

still better than people asking the same question over and over

depends on the timezone^^

lol people will do it annyway cause people are lazy

true tho

and just ask the question instead of looking for it

so.... would it be okay to play the modpack?

or no?

🤔

I would stay away from launching modded mc for the time being until people know for sure whats going on

no way to know for sure whether it contains infected mods or not

apparently this malware goes back to April

from what I read, mac is still targeted, but has more security than windows, making it resist better to the attack,
but the risk still exists

any new malwares should be suiciding due to the lack of the C&C Server (It's ddosed as of right now)

if you're on linux, this script allow you to check each jar of a folder https://pastebin.com/T6aQ7C2E
there is no windows equivalent yet afaik

still imo don't play any mods until the issue is resolved

a new C&C could be brought up at any time

i was literaly playing a pack wile this came up

😦

Guess we've got two different sets of information going around cos on either the hackmd or prism update page for it, can't remember which, it said that mac is unaffected as it seems hardcoded for hitting linux and windows, but that mac MAY be targeted in future

hackmd

I got it from here https://hackmd.io/5gqXVri5S4ewZcGaCbsJdQ which is linked in the main hackMD in the technical -> stage3 part

Lol I was updating my custom pack when I learned about it 😂 Thankfully though it was also surrounding the create 5.1 update (I've got a bunch of create addons that aren't updated to 5.1 compatible yet so I had to look at the changelogs to see if their newest versions were compatible and thus viable to download for the update)

Mentioned both cos I've read both of them and couldn't remember which it was xD

trust pls the prism updates and from the cf admins/news - good sources to be informed, some people say not correct informations about the issue right now

I didn't say that either one couldn't be trusted 😛 Just wasn't sure which would be the more accurate of the two, cos one would have found out the info and shared it, and the other would have reported said information to boost it

In order of priority though, should we follow the Prism team or HackMD first?

the prism news say to read the HackMD for updated information

hack MD is people who deal with this sort of stuff and is live updated

Hello I have little problem here so I'm working on my files in my modpack so How can I add more mods into the file in curseforge

You may not be able to right now, as they've paused uploads right now to my knowledge

Yeah it's not true

?

its weird to see tham type wile ur right there lol

Last I heard they paused the approval process

because I upload my modpack yesterday I don't think it's paused

they disabled it around 6h ago

^^

It was very early this morning. See #📢︱news

But I guess I misread and it's approvals

So maybe not who knows

So what can be done to block this issue from happening in the future?

any news on when 1.20 fabric mc being added to cf launcher?

The way this attack was launched was very obfuscated and sophisticated should note that a determined attacker 9 times out of 10 will obtain access. But this has highlighted many flaws in the system, particularly with a lack of code signing

probably not until fabric 1.20 exists

This might prompt the modloaders to make code signing mandatory

guys do you know if antiviruses like norton360 etc. can check and find the virus?

as far as we know, no

Very unlikely

ok

This is malicious code inside of what is otherwise regular-ass mod files

they cannot. it takes about 6-12 months at minimum for antivirus software to be able to consistently catch new malware, and that's after the malware is discovered in the first place.

There is no way for anti-virus to do anything without running into thousands of red herrings

everything that is known is here: https://hackmd.io/@jaskarth4/B1gaTOaU2 the technical info lists items known to be infected. but any mod could be

my advice, if you've downloaded any mods in the past four months, run the check, if it finds anything, wipe your harddrive and do a fresh OS install. if not, don't touch mc for now and keep your eyes out for updates

how do i run this?
%LOCALAPPDATA%\Microsoft Edge\libWebGL64.jar

u need to download the script

thats on the website

ok

That's one of the things the malware puts on your system

so if that's copied from your computer's windows explorer, you're infected

I found some infected mods

Im going to list them rq

...

Too many?

wait wdym

that's literally already in the hackmd live file...

Didnt see it

One of the files the malware creates is that .jar, and it places it in a directory called "\Microsft Edge"

it does

i took the path, pasted in files explorer and it auto closed

fabric loader can run on about anything

I think someone thought of that already

The path is only for windows so if you're on linux or mac that one doesn't apply to you

HI! someone in my guild just told me to delete any files I have updated in the last 24 hours and do a virus scan but when looking at my addon folder I'm not seeing which files were specifically downloaded/updated last night.. so I need to click on each one of these folders from 6/6/2023 ?

anyone currently on mac only is safe

yay

i am on win11

according to their release history, there are release candidate, nothing stable yet

their loader is officially supposed to be mostly version independent and on a blog post it said their loader should work on 1.20

https://fabricmc.net/2023/05/25/120.html

everything that is known is here: https://hackmd.io/@jaskarth4/B1gaTOaU2 the technical info lists items known to be infected. but any mod could be

my advice, if you've downloaded any mods in the past four months, run the check, if it finds anything, wipe your harddrive and do a fresh OS install. if not, don't touch mc for now and keep your eyes out for updates

Just delete everything

If you dont use the mods you might aswel delete them

is this limited to minecraft mods atm?

yes

Yeah, no other mods use .jar

so is curseforge safe 2 use?

everything that is known is here: https://hackmd.io/@jaskarth4/B1gaTOaU2 the technical info lists items known to be infected. but any mod could be

my advice, if you've downloaded any mods in the past four months, run the check, including the CF detector found at https://support.curseforge.com/en/support/solutions/articles/9000228509-june-2023-infected-mods-detection-tool/ if it finds anything, wipe your harddrive and do a fresh OS install. if not, don't touch mc for now and keep your eyes out for updates

I ANT READING ALL THA

No, just wait til they say all is good

Then what are you asking?

is a joke

i am readying it

readding

Oh ok lol

Text joke hard to see

Playing minecraft when uninfected is fine. If you must download a new mod or modpack, exercise extreme caution

Anyone know if adding the tool to a technic modpack you are the creator of would break it in the launcher?

btw, curseforge detector only detect if you're already infected, it doesn't check if you have a malicious mod on your computer

cos I want to be able to add it to my technic packs but I also don't want to brick the packs and render my servers inaccessible to my players lol

is it safe to launch minecraft now?

no

alright thanks

vanilla is safe

If you haven't been infected you are fine. It's only if you downloaded it. If you have no evidence of stage 0 on the machine as far as we are aware you should be fine....

vanilla is the only safe minecraft

what are stages 0 to 3?

Different deployment stages essentially. Each worse than the other

One question. Should I be suspicious if my mod files have a large time gap between modified time and created time?

That could be a red flag right now

Oh wait yours?

downloaded mod files*

so does the malware onlly affect the ege browser or is that just where it is hiding?

So if the DetectionTool says "Malware was not detected on your machine", can I open minecraft with the mods I've always used??

It's hiding in a fake edge folder

stage 0 : hidden in a mod, download and execute stage 1
stage 1 : download stage 2 and make it execute on startup
stage 2 : download stage 3 and execute it
stage 3 : steal every stealable info

It would mean it didn't find any evidence of stage 0. Should be fine 🙂

however, might worth note that there's no big time on about other half of mods

ohhh so me not being able to find that folder anywhere is a good thing

is better mc safe ?

Correct

likely

every jar file should be considered unsafe

what if i downloaded it a while ago & havent launched it in a few days can i get effected?

better mc is fine currently

C&C server was stopped for now (10h ago-ish) so stage 0 first step is all it can do right now.

Hello can you treat the new update of my project: Better-Survival. Because for 3 hours updates have not been released to the public

C&C may be brought up at any moment, and if it happens will take time to get it down again, better not take unconsiderate risks

Approvals are paused....

no

exactly, treat .jar files like the plague for a while

the tool checks all .jars on your computer right?

It checks known locations and filenames the malware uses

no, it only check if you're already infected with stage 1 to 3

it doesn't detect stage 0

so only minecraft mods? no sims 4 or any other game rn

is that right

only minecraft

mk then

thats not so bad i guess

vanilla too?

vanilla isnt modded lol

its the mods that are dangerous

vanilla is fine

It can still affect vanilla though if you played modded

lmao

vanilla is the only safe version of minecraft you can use

wym by that

But if you never used modded keep using vanilla

how about mcreator mods

?

Part of its persistence from the hackmd. It tries to inject itself into all jar files

hmm

k i just wont play any minecraft related thing i guess idk

@twilit parrot @digital roost everything that is known is here: https://hackmd.io/@jaskarth4/B1gaTOaU2 the technical info lists items known to be infected. but any mod could be

my advice, if you've downloaded any mods in the past four months, run the check, including the CF detector found at https://support.curseforge.com/en/support/solutions/articles/9000228509-june-2023-infected-mods-detection-tool/ if it finds anything, wipe your harddrive and do a fresh OS install. if not, don't touch mc for now and keep your eyes out for updates

you have to avoid anything JAVA related lol

If you've played modded and you don't see those files on the system that's been found you should be fine. Just don't download anything else for now

alright

.jar is a java file, not a minecraft-specific file

Honestly. I've been tempted myself to simply spin up a vm completely isolated and see what it does lol. As an infosec major this kind of stuff fascinates me

Bogus email bogus account literally nothing on the system but that

You should, just make sure ur actually safe when doing it

Absolutely

Just straight up get the stage 3 on the vm

There appears to be some evidence that it's been found to detect if it's a vm though... the purpose is unknown so I've held off

What's C&C again?

Command and control

Essentially the server they are using to take control of the infected machines

sorry im sure people have asked already but if the tool didnt find anything then i am safe to continue playing my already existing modpacks via the cursefroge launcher as long as i dont download/upload any mods right?

Just dont download or update any mods. You SHOULD be fine

okey xD ill just run the tool 5 more times over the evening xD

so from the info ive gathered my linux machine is rather safe since this malware targets windows right?

They target both linux and windows

Not mac tho

damn

unfortunate

Just run it twice and start trying to change passwords and stuff

changing passwords ? ._.

will the malware get excisted and show itself ?XD

excited *

Only if you a juicy target 😛

But ya long as it's not found anything you fine

okey ty xD

Is Modrinth also infected?

im just lost when it comes to the more difficult tech stuff rather just get confirmation from people who know more then try and research it myself

so far these are the only four anti-viruses that can

Use the detection tool

What stage of the virus is it?

same as the bat files are checking; not exactly sure about the numbering tbf .-.

Its not a problem of if it can, its a problem of how early it detects it

yepyep just saw multiple platforms mention to just stay away from minecraft but im an addict and need to tend my servers ._. so wanted to check if it was safe or not to just play if the tool didnt detect anything

everything that is known is here: https://hackmd.io/@jaskarth4/B1gaTOaU2 the technical info lists items known to be infected. but any mod could be

my advice, if you've downloaded any mods in the past four months, run the check, including the CF detector found at https://support.curseforge.com/en/support/solutions/articles/9000228509-june-2023-infected-mods-detection-tool/ if it finds anything, wipe your harddrive and do a fresh OS install. if not, don't touch mc for now and keep your eyes out for updates

I admin my own atm8 server lol I know the pain

If it didn't detect anything then it is probably safe but don't install and new mods

so i used these 3 detection tool, was that right?

got it thanks a lot people ❤️

Np

Essentially have been advising my friends to run the detection tool and if found take appropriate action. If nothing is found then they are safe to play, but to not update/ install until further notice

If it found nothin ur gud

perfect

i also uninstalled minecraft and deleted the .minecraft folder just to be sure

Hey so one question

i have seen that on the mod list that were infected

there is a mod called anti chat report

and i didn't download it

Wat

but i have a mod called no chat reports

is it the same or different?

Just run detectior lmao

ye i runned it (even the funky command line on the prism website) tho i want to be 1000% sure

@candid needle these are the detectors you should use

Ur 99% safe

that 1% won't let ppl sleep lmao

Lmao

Never reported this, and forgot about it, but I got a virus from cursedforge back in September.

run the detector to be sure its not the same virus (very unlikely)

Mehh it should be fine now. Just ignore it unless you remember what you downloaded

Ok, I'm not home so I can't check.

If its actually the same virus you should report it

and i suggest cleaning your pc just to be 1000% sure

if its the same virus, maybe its the old version of it and its not connected to the C&C anymore, since you said you got it in sept

It was some crypto mining virus, just started up once I started minecraft after getting an updated mod, but I already cleaned my pc 3 trimes.

Oh, lmao. Ur fine i suppose

what file do i use to run the detector

@grand fox

So I now have modded minecraft open (yes I know it was risky), and the tool keeps saying "Malware was not detected on your machine", can I play safely with this modpack I made? obviously without installing or updating mc. Also does the detection tool work 100%?

the first .bat file is in pinned messages in #🧱︱mc-other-help

just run it and check if you have the malware

these are the files i have

the second one is the script from https://prismlauncher.org/news/cf-compromised-alert/#automated-script

It detects the known locations that the malware is known to reside once it hits stage 1

If it doesn't detect anything after you have run minecraft, then it should be fine, just do not update until further notice

the third one is from cf support

What about seperately downloading mods from authors on curseforge website?

Is there a chance I am infected?

is it safe to download better MC yet?

You shouldnt have any issues

I dont think so

Curseforge was hacked?

wdym? If you downloaded mods during the time when the problem occurred, there is a possibility of getting the malware - now its almost impossible to get it on curseforge

nope, maybe read #🆘︱current-issues🆘

DEVs will for shure make an announcement if its all save

Right now all projects are being reviewed

Until that time no mod or modpack should be treated as safe

If you MUST download again exercise extreme caution

does the curse forge detection tool check your installed mod packs? if its all good and clear, can we continue to play?

It doesnt check mods, it check if the virus ran stage 1

you shoud stay away from everything mod-related, till further notice.

it checks the files that the mod inserts itself into

are older packs ok or are they unsafe too

got it , ty

also unsafe

unsafe too

damn, i'd rather just wait it out then

So was RLCRAFT one of the hacked mods? i see it suddenly has an update

Dont update

Just dont.

Its not in the list but just dont

If the detector says you are clear them you are safe to play existing downloads, just avoid downloading for now

best choice you can make

The list is living. It may or not be. We don't know the full scope yet

Thus why we say don't update

Ask better on the Rl craft discord for this, always ask the author/team behind the pack

Is it safe to play if i don't update?

before i knew about it i had downloaded enigmatica 2 expert at like 1 am or sum today but i didnt see anything on my pc after the check

So long as stage 1 was not run(detector doesn't find it) then yes

The problem is that even if the detector finds nothing ur still not safe

Its possible for the virus creator to somehow get the dormant stage 0 virus active again and infect your system. But it will most likely be announced

is there a list of actual modpacks that have been infected? like pixelmon or BigChadGuys Plus

Check hackmd

All mods are assumed to be infected due to how the virus works.

Assume the worst

how do I check hackmd?

wait so if it runned stage one, it could've run stage 3? (ik this might sound dumb but maybe it deleted the stage one files or stuff)

Huh

Just check the website

which one

hackmd

curseforge support thing

or prism

@candid needle https://hackmd.io/B46EYzKXSfWSF35DeCZz9A#Credits

aight thx

I downloaded allthemodium and it was having a problem is this because of forge?

bro- you might wanna run the malware scanner in our discord.

compatibility error

if the CF checker doesnt detect anything are we 100% safe

i dont think so

what does "check for an entry "mean

what am I looking for here

like it says look for an entry but thats not very specific

Why cant i go to curseforge without getting "error code 1"? i have tried running it without mods too

Paste created of latest.log, uploaded by Null.

I dont exactly know what an entry is

so guys if the detector says im all good, am i 100% safe or it doesn't check stage-0 and my pc can be infected later on?

an entry is anything on the right hand side

nah I think you're good

for now

you should be looking for stuff you don't know i suppose

wdym for now lmao

It appears that most of the big ISPs now have the malicious ip sinkholed

you could have mods that are infected, the checker doesnt check the mods

i deleted all my mods

everything related to mc

Sorry I dont understand what you mean, but you mean data?

i deleted my .minecraft folder, all .jar mc-related files ecc.

https://i.imgur.com/REItHLY.png

this is an entry

So the name

in simple terms

sure

or are you referring to the red

anything on the right hand side, that has a name and a data entry, is an entry

so check those for things you dont know the name of

Might be on the right for you but for me it's on the left which im sure doesnt matter

i dont know why they didnt say what to look for specifically

oh really , didnt know you could move that around lol

check familiar things?

Only thing I dont know is this

Is "Spool" related to a fabric plugin?

do you use a espon printer

oh no wait this

yes

that ok yeah thats fine

am i safe?

Well you checked right

or just for now

and you deleted everything

yes

i checked multiple times

well here's the thing what theyre saying is that phase 3 hasnt activated

because their server went down or something

theyre saying it's really bad if it did happen but I think you're good

just phase 3? I saw that they check phase 1 too

just manually check the 3 spots

wdym how

https://hackmd.io/B46EYzKXSfWSF35DeCZz9A#If-your-browser-is-lagging-go-here-instead Phase 1 leaves 3 spots

https://i.imgur.com/rceYPUX.png

the curse forge detection tool does this for you if u used that

how do i check the first one

manually

linux or windows

win

I would just do local app data

see if theres a microsoft edge folder WITH a space like "Microsoft Edge"

thats a fake one

how do u do that?

do %LOCALAPPDATA%

in win+R?

nah just file explorer

both works

ok

in the little black par near the top

search it up

see if theres the fake folder

if not you're good

i dont have the microsoft edgebut i have this

most of those spots dont even exist for me, I dont have a Microsoft Edge folder anywhere, should i be fine?

For example I have Microsoft and MicrosoftEdge, not a 3rd one

No folder means you're good

what are these?

for the third option you just need to see if theres any kind of shortcut

how do it do that?

Focus on the first one first

i have no idea what those are

but do you have the microsoft edge folder with a space

i did it, there's no microsoft edge

Good

ok

ty btw

are you in the startup folder

np

nope

oh same thing as first except just type in the full folder location

%appdata%\Microsoft\Windows\Start Menu\Programs\Startup

ok just a sec

if there is a shortcut file that is bad

ok the folder is empty, there are no shortcuts

oh good

2nd method is a little complicated

im so safe i aint even got a start menu folder for microsoft

for the registry, step 2, what do i do?

lmao

wait im confused af, i runned with windows+r %LOCALAPPDATA%\Microsoft Edge, and it opened me to C:\Users\user\AppData\Local\Microsoft

so it means im safe or im dumb

what the hell how dont you have one

idk

Local app data is just like a short way to say it

my defenses are unbeatable

it's completely normal

its if you want to go to your local data without having to click all folders

Go

ok

the weird thing is, i don't see that microsoft folder if i try to open it from local

microsoft Edge?

and i have hidden files turned on

with a spacebar

Microsoft Edge

ye i checked it already and i don't have it

Good

thats a fake folder created by the virus

when i hit enter its just the same

wdym

try clicking on hkey current user

expand the list

and click on software

ok

What file do i run to run the detectoon tool?

the .exe I think

and

microsoft

then windows

then current version

then run

tell me once you're there

I am there

Theres no .exe

https://github.com/overwolf/detection-tool

Did you ever figure this out? Lmao

Oh where'd it go

idk where the exe is

Hell no this is so stupid

what language do you speak pheonix

not an insult but for info

italian

https://github.com/overwolf/detection-tool/releases/download/0.0.1/DetectionTool-0.0.1.exe This is the exe link

yeah ik sorry

The filder has no .exe file

i might have an idea for it

Gotcha. Only ones on mine that seemed sus are the AutoLaunchers. But they appear legit from a quick search

Then you're good

wdym lmao

was wondering about the (predefinito)file

it means default

uhm the virus what to do

yeah thats default in italian i have it too

I think its just the default path for a registry

what are you checking in the registry for? I have an overwolf entry in HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run

but in english

ohhh r u italian

no I mean I have the same file just diff language lol

oh yeah ok

Had the same question

it's not stated

Not sure, I presume it'd be something either mentioning "Microsoft Edge" with a space, or something that none of your installed apps correspond to

I dont know

I was told to check for anything you dont recognize

I just ran the visual studio file and it seems to work

Luckily im not infected

i have 3 .exe files in here

its chrome.exe

I'll be honest I don't dip into the registries on the regular so I don't recognise any of it

i think it's to check if there is some unknown one, like with file address going to the virus

msedge.exe

Yeah

probably for that reason

Based on the names you should know some

and like onedrive.exe

am i good

see if there are any abnormal locations

there arent any

I think, only concern is the microsoft edge

idk if thats real or not

check its location

ye

if its real you're good

ok

https://github.com/overwolf/detection-tool/releases/tag/0.0.1 is it this?

Oh yeah for sure. But it'd be hard for me to check if the virus was disguised as, idk, the docker desktop registry

I would check the file locations

ty @main tree

my reason for asking this is the fact that the dude who made it has only made one contribution in 2021

np

oh wait no its fine the links are the same

its trustworthy

ok i gtg now

Yeah, my only noticable thing there is that chromium (which I could've sworn I uninstalled but hey maybe this is a remnant) is using a lower case path.

probably looking like this (mockup)

Where's this screenshot from?

me, edited in paint just to make a mockup of what it could look like

so how is it going anyone know how long till i can use it?

oh yeah that is definitely suspicious

would wait a day or 2 or change launchers entirely depending on how it goes

all depends on how it spreads

im useing ATlauncher atm

but curseforge

is ez

for servers

very easy yeah

I would keep your server down and not install any mods until they have a full list of mods that have virus

yea

what do i do when this appears?

just discovered about the curseforge breach

why u on paint