#🔥︱curseforge-support

As an infosec professional I concur with this statement

I'm not that far yet

Getting there though I need some certs

What stages of the malware does the CF scanner detect?

first and second

Stages 1 and 2 I believe if not 3

i think

I love how this is happening on the same day as the 1.20 update. yahoo

Should be right.

it could be 3, tho idk if 3 doesn't delete the stage 1 and 2 files

If it gets to stage 3, will it still be detectable through older stages?

I used to have certs but they don't matter as much anymore

that's a question i asked too

CISSP?

Is there any way to scan for stage 0?

It won't detect it if it is dormant. Requires you to run a file affected so that it can create the needed directory, I believe. Could be wrong.

Got my CISSP 5 years ago I stopped maintaining it

This. It won't detect stage 0

So it’s possible that I could have the virus on my PC for however long unless I don’t uninstall every jar file on my pc?

In my opinion, I would just delete all files that are possibly affected. Since it can spread to other .jars, I just deleted all of them after I checked to see if the malware was active.

If the directories are not made then the infected jar file was not run yet.

Or none were infected kind of a toss up given ongoing investigation

I mean I’ve run every modpack I have and the directories were never created, luckily enough I don’t usually play premade modpacks

For me it was enough to just reset my PC completely and reinstall everything (except any Mod Launcher for now). Will stop playing for a while now

Are only Jar files targeted?

I feel like that’s a bit much lol

i don't think it should be there

Safe to say so long as you don't download any new ones until confirmed they are sage you should be okay but be on the lookout

where is it located tho, i would look for myself

From what I know. They mention that the malware is inserted into .jars that are viable candidates for the malware.

It’s also pretty safe to say that if you didn’t download any of the compromised mod packs/ mods (mostly lunar pixel projects) yesterday you are in the clear. There were some misc malicious mods circulating for the last 2 months but I don’t think they picked up a ton of downloads.

Stage 0 can't execute mainly because the C&C is offline, which could change

What is c&c

its a file in my desktop that i could see after turning off hide windows protected folders

Command and control server. Essentially the server being used to infect the machines and extract the info

It's how it "phones home" so to speak

I am hoping the way I did this works.

Could stage 0 mods be activated at this point though? Considering the server was taken down by the server provider

It’s annoying how this all came up the day of an update when everyone’s gonna want to play new mods

So I have to run the detector once in a while, just in case.

Nothing stops them from trying to put a different one up

Was probably planned like that

Yeah, lots of traffic? Perfect day to spread malware.

Thats very unfortunate but what can we do now? Just wait a bit until its settled

Wait, does the mods on Modrinth have malware or is it just on Curseforge?

Yeah just don’t install anything for now and keep an eye on the infected directories if you run anything

O shit it's the seventh 1.20 is coming out

aight, after some research im pretty sure it only means that jar for that file was once in desktop

Be wary of any mods origin.

Its out

My PC is reseted. I dont have anything in the first place

Ok so nothing is safe atm

Zamn

okk thank so much

Do we have the tools to scan for stage 0 yet?

i think no

same with stage 3

Stage zero requires examination of obfuscated code. Unlikely it will ever happen

What's the difference between stage 1,2 and 3?

If the current scans say you’re in the clear, then just wipe your mods as a precaution and wait until mods are confirmed clean once again to download them back.

Stage 3 is bad stage

You might not feel a need for it, but I would just take a torch to your installed mods if Stage 1 hasn't activated.

Should remove all possible malicious files.

Ftb is safe

Right

Exactly, folks only need to worry if the current scans come back positive.

Excuse the language but this so fucked…..

Ikr

Stage 3 is the point to where your credentials could be( or depending on timeframe) have already been stolen. Stage 1 is establish persistence(infect the other jars)

Malware and viruses as a whole are, but people suck so we’re stuck with them.

I think that I am going to play FORTNTIETEHGH (Jk, gonna play some tf2)

It is a pretty good shot by them. This was the perfect time for a malware attack considering the 1.20 update.

Stage 2 is when it runs on startup and leaves the files that the current scans find.

This has been going on for a bit already, it just happened to be found around the same day as 1.20 launch

Did they put the detection tool out already?

All it took was one slip-up with a high profile account lol

3 of them

Detection tools are out

Or it was intentional. Who knows

Check 'em out.

Where can I get them?

#📢︱news

Or the hackmd

What @sterile kestrel said

News one has the one deved by CF. The hackmd has some scripts that were developed last night as it was discovered

I think that they wanted it to happen at the same time as the 1.20 update because of the fact that a lot of people would begin to download mods when the update would launch, which allows a very easy source of creditionals for the hackers to take

Since it’s been out for a few months it’s likely that the increase in modding with the update just produced enough traffic for it to be found.

Really shows the need for code signing tbh. Apparently CF tried before?

More people watching leads to a higher likelihood that it’s caught

Correct and correct

Oh wait so it has been here for more than one day, and Curseforge didn't notice it?!

It was highly obfuscated and wasn't noticed because CF wasn't compromised, only some high profile mod accounts

It’s unknown if the malware creator edited timestamps but supposedly the last 4 months are questionable with an increase in the past several weeks.

Anyways i can download overwolf right

Even then it wasn't actually noticed until lunar went wait a minute that's not us who logged in lol

how do i update curseforge profiles from 1.19.4 to1.20

That’s why CF is scanning all of the mods on their site now since it’s not an issue on their side except maybe security.

really dumb question: do we need to have curseforge downloaded (since i mainly download from the website) for the tool to work or

Nope

is it safe for me to launch my modpacks?

aight thanks

Have you run the tool since downloading them and have they been run?

its safe for download and update mods ?

what tool

how do you use the detection tool?

No problem. When it comes to cybersecurity no question is dumb

Check #📢︱news

Step 1: scan. Step 2 (if no malware): delete your mods and wait until all clear. Step 2 (if malware found): wipe everything and you should clean install windows to be 100% safe.

i thought that was just some mods and that the team already removed them
its not that ?

Nope, there are more

The list is ever growing. More mods are being found

They removed the mods they knew about but not every mod is known

We just don't know which ones.

As mentioned, just torch all the mods if Stage 1 has not come to pass.

how do you use the detection tool??

how

download it and double click the file

it just opens

Essentially the way it works is it infects other jar files you have on your pc with the phase0 malware, which is mostly important to modders because they don't notice. This basically makes the malware spread like wildfire as people would then be uploading their updated mods online not knowing it had it in the first place after getting it elsewhere

Do NOT take the risk of using any modpack that is possibly affected by malware.

So no, it's not only some mod teams

hello i had a question. does anyone know a minecraft server hosting site were i can host a free modded server for me and my friends?

Aternos

Stage 1 is what spreads it among all of your .jar files so if you got 1 that had the malware (even if we don’t know it does yet) they could all be infected.

What does it say? A screenshot may prove useful here

so how do i use the tool

yea i know but the mods i wanted to play got deleted from that site so do you know any others?

Open and run. Keep in mind I haven't run it I'm on linux

unzip it

idkk where to download it

its just a folder inside it

https://github.com/overwolf/detection-tool/releases/download/0.0.1/DetectionTool-0.0.1.exe

it didnt say on the link in #📢︱news

https://support.curseforge.com/en/support/solutions/articles/9000228509-june-2023-infected-mods-detection-tool/

It's the third link in the news channel btw

if i downloaded a worldedit 7 days ago would i be safe?

and theres no exe in the folder

this is the exe

Not necessarily it's been around since may possibly April

Stage 2 is when you’re past the point of no return and it allows stage 3. The scanner only scans for stage 2 so delete all mods anyway.

Check to be sure

is worldedit infected?

alr im good

whew

Oh good we got it ran 🙂

The new tool scans for stage0 now as well

Oh does it? What's it look for?

Just any known infected mod?

Idk but that's what the tool was specifically for. If you read through the thing they explained how to search for stage1 &2 and they were making the tool to detect stage0 which is now out

If that’s true that that’s great

Huh I thought it was the other way around

¯_(ツ)_/¯

S1 and 2 were detectable 0 was not

Then again

Hi does any one know why Iris is crashing my minecraft? I use a curseforge launcher

Now I'm rethinking that it makes sense lol

But is it now?

According to turtle it does so

I'm working(on lunch) so do not have alot of time to absorb new details since last night

Alright good

could go to the github and take a look at the source code

That's what it says in this https://hackmd.io/B46EYzKXSfWSF35DeCZz9A

Which is the nekodetector people have been using

Wait if I haven’t touched my craptop since may 16 I’m safe?

Just run the tool to be safe best not to assume

Oh nice

I cant run it for another 3 days…

Looks like the tool appears to be complete. I'm on linux haven't found directories but will run then

They said scan anything from the last 4 months

Even then I would to be careful lol it doesn't take long

To run the tool

The ones I've been referring to were the scripts and CF. I knew this was in dev but didn't know it was complete

https://tenor.com/view/spongebob-panicking-panic-run-stressed-gif-5303378

Luna pixel:

Yeah yeah the scripts were for 1 & 2

I believe this was finished recently

I will have to run it when I get back home in 3 days. I gotta go through an 8 hour flight in 64 hours

I ran it a couple time and it came back clear luckily so seems like it never was on my pc

If I never had any of the directories is it safe to say that the virus at least hasn’t gotten past stage 0 if it’s on my pc

When an IT community get riled up on security, shit gets done lol

Yes, delete all mods though

Yes. The nekodetector though should detect stage 0

If it hasn’t been detected on first stage, it won’t be on other stages

How long is this going to last?

how informative!

However long it takes to conduct thorough review of the mods on the site

Yeah I’ve deleted all Jar files that ik of, from both curse and modrinth, idk if maybe there’s some somewhere I’ve missed tho

Yeah, torch your mods to be safe I would think, even with a detector for St0.

Does anyone know who did the hack?

Nope

Hmmm assuming months or weeks then based on your response

Theoretically if it detects nothing of stage0 would that mean those mods on your pc are safe and don't need to be removed out of curiosity

I think there’s suspicions rn but no answer

Indeed.

Ik before it was better to because we couldn't detect 0 only 1 and 2

You can’t skip stages, it must go through stage 0

CF claimed everything could be scanned in around 12 hours

To get to next stages

If we can reliably detect stage 0 then there isn't a need to torch the mods if it doesn't find anything

Is anyone working on a scanner for stage 0?

That's actually kind of impressive that's a lottttt to scan in only 12 hours

https://github.com/MCRcortex/nekodetector

Stage 0 scanner ^

I saw that, just dk how to run it

Does the curseforge one scan stage 0?

No

It's it's own jar(ironically)

It depends on what you think of as reliable. I still torched my mods, but this is a new detector. I am just a rather safe than sorry person, though, so I think that's just me.

Oh absolutely. I ain't gonna fault you 🙂

Does the cf scanner look for anything past stage 1?

Yes, S2

To run it though just open cmd and run java -jar scanner.jar 4 C:\

So cf scanner scans stage 0, 1, and 2?

May need to include absolute path to the jar file

Cf does 1 and 2. The neko detector above does 0(perhaps 1 and 2? Not sure on that)

Alr thanks

What if it’s on stage 3, would it detect s2 still or is it untraceable after s3

CF does S1 and S2. From what we know, Neko detector does St0

Stage 3, I don't know.

Is there a video or step by step guide on the neko scanner?

No clue.

is it safe to play sky factory 4 currently?

Define safe

No mods are safe atm. Use the detector beforehand if you are going to go ahead anyway.

And after ^

how do i download this nekodetector? github is too confusing for me

I am currently trying to download the Detector Tool from both GitHub and the CurseForge Support site, and both locations I am prevented from downloading due to the file saying "virus detected". Is there a fix for this?

Browser security settings most likely

There are no releases of the detector for me just yet.

Turning off the browser security still didn't allow the download to proceed

so do i download the ZIP or what

how do i use the detection tool?

i can't download nekodetector guys there is no option in the github

Click the < > Code

i did, what i do after that?

Download as a zip

Then extract

then do you just run the cmd prompt?

gradlew.bat

says windows protected my pc

You can turn off your windows anti virus temporarily if you feel safe enough to do that

so like can i download any mods like security craft, scp overload, scp restoration and mrcray mods without getting a virus? or are they also unsafe?

Means windows defender blocked it

Usually there is an instance of run anyway on expand

i did that

I’m dead

and it installed what do i do now

Until further notice NO MODS are safe to download

ok

crap

You do so at your own risk. If you MUST download then you should run the detection tools before and after running them at minimum

What about mobile

what now?

Why can i load Fabric/Vanilla minecraft but not forge?

it gives me an error code when i try to

if i have not updated a mod can i play it?

pretty sure this just builds gradle, doesn't run the detector lol

i keep getting this error code when i try load up forge minecraft why is it?

what do i do after that?

I think it may have to be built to run it. I can't test right now unfortunately

Apologies but may ask someone else because I am currently working and responses will be slow

yeah oops forgot to mention that was the start 😭

hackmd has the rest of the tutorial

Pretty sure the detector is not done yet and they still need to compile it before everyone can use it

would get it if opera wasnt slow as shit

Can someone help me please

Hello. I have question about these malware mods.

I uninstalled CurseForge and then ran detection tool. It said there is no any malicious files, but I have doubts if I did something wrong.

Hey guys, how to run the detection tool ? there's no .exe

I think you have downloaded it from git hub. Try downloading it from curse forge website.

ok

if i downloaded mods like last week and now deleted them and if i would delete curse forage for some time, am i safe?

@teal trout please avoid using slurs

I think you should check it with this detection tool

curseforge itself is safe, correct?

the application

Yes

alright

sorry

but like i deleted them so like they should be gone right

Hello, I've run detection tool, manual check and also blocked the IP that was giveen (just didn't edit host files), yet, i cannot find "%LOCALAPPDATA%\Microsoft Edge"

So, should I have CurseForge installed to use detection tool?

nope

works without it too

Good

you just need to run the executable

and click Scan

Thank you, going to delete the files now

I was worried about it. Hopefully I don't have malware :)

just wondering is mods rn on the platform are safe or not

you need to keep searching for malware until your results look like this

Found nothing

wen did this start? i ran minecraft with the mods 2 days ago

and if i have been using some mods for a while am i able to get ratted ?

Hey! Question, was the modpack "Fabulously Optimized" affected?

this morning GMT i think

Yet, my only doubt is, servers like Aternos are safe? Like, should I reset the server after all of this setles?

How long this scan should last? I pressed scan button and it instantly said "NO".

WHy do i keep getting this when i try to load up Forge Minecraft

results are pretty fast, it was instant for me too

Ok, thanks for help

It's instant

is the tool safe to use?

I think yes. I scaned with malwarebytes and put into virus total and no results.

Yes

wait wont windows protection just locate the virus?

not always, it usally cant detect them

Wheres the actual bug detector file?

what are these ?

is there any way I can get curseforge to install mods that are on my computer already?

help someone please tell me are those virus?

most probably yes

no lmao, windows files.

Either windows files or viruses

a mod please answer

ntuser is user files

seems russian to me lol

please do not give people advice if you are not knowledgeable

is it safe to play a modpack i made a few weeks ago?

can we ping a moderator?

why? I already told you what you posted is not malware

ive already ran the tool and didnt get the virus, is it still safe to use curseforge or not yet?

i need to know if they are virus or not

It's not

It means im right?

I'd say currently your ok

i also run the code and didnt get anything

Can't figure out the nekodecector

if youre that concerned run your anti virus to scan those files

i dont have anti virus

It wouldn't help much even if you had an anti-virus as this is not detectable yet.

russian spyware, delete immediately

bruh fuck off

are you serious ?

how do i use the detection tool, i downloaded it but dont know how to run it.

bro thats russian

no he's joking :\

im confused, please dont joke about thing

is it fixted

@young sedge are you russian?

How do I run the neko detector ☹️

Which os do you use?

no,

Windows 10

i had russian folder before i guess

if you know those folders they're fine, ntuser files are user files so they're also fine, did you run the detector program?

i hope my warenty covers a reboot

uuuhhhmm... okay maybe you might be infected with a different virus then, install an anti-virus like malwarebytes

Bro I think u got more malware than just this, unless u know those folders

I wouldn't reboot right now if you are infected

i dont have any issues right now

yeah that's the point of some viruses, you're not supposed to see it.

yep looks normal

how do i run the detector?

is launching atm8 safe rn on curseforge?

The world is a magical place isn't it

@calm plover Am I not supposed to input the given command into powershell? There's no .exe

I am hoping someone can help me, I am getting an Exit Code: 1 when trying to load a 1.19.2 Forge modpack Cottage Witch version 1.19-1.14.9 . My GeForce driver is up to date, I just updated my Java yesterday. I have included screen shots of the drivers I have for both (incase I made an error somewhere) along with my latest.log file. I am out of ideas and would appreciate any help I can get. Please let me know if there is any other info I can provide to help you help me ❤️

Paste created of latest.log, uploaded by Fade_Alchemist.

never heared of neko detector sadly

how to fix it

Is it possible to get detector tool for Mac os as well. I know it wasn’t targeted but still, java is cross-platform

i think i know what those russian folders are, i know a bit russian and country i live in use russian as second language,

guys

they said that the virus only detects if you use Windows or Linux

why is there no Litematica in minecraft mods?

So is the curse detection tool 100% accurate?

No, but its a good start

How to fix it?

Also check the registry for an entry at HKEY_CURRENT_USER:\Software\Microsoft\Windows\CurrentVersion\Run
why does it not say what to look for

where Do I put that command?

i haven't downloaded anything from curseforge since i last formatted my pc, am i ok?

If you downloaded and or excecuted any mod since may this year, maybe not

every mod i downloaded from the site i checked on virustotal

Well the last modpack I downloaded was Seaopolis 2 a month or 2 ago. Hopefully I'm good

thats right?

As far as I know, it's not detectable by antivirus yet. Try to use the check up virus script that was given, and or check manually for any weird folders from the link given in news

yea, and what would the bad bit look like
like if u was infected, what would be there

If you follow this website, the team is constantly updating with helpful info https://hackmd.io/B46EYzKXSfWSF35DeCZz9A

the virustotal check for the detection tool shows that the file communicates with an IP that contains malicious content

I just play downcraft with my friends last week is it save?

you can block said ip through windows firewall

Assume not, check your files following the instructions given on the link I provided (https://hackmd.io/B46EYzKXSfWSF35DeCZz9A)

yo i'm trying to use gradlew.bat to scan my pc but it always closes should i be worried

you're not running the scanner

that just builds Gradle

what scanner
where do i get it

Here: https://prismlauncher.org/news/cf-compromised-alert/

This one's a bit easier to follow

when can i use curse again

Don't know, did you use the script or checked for the registry entry?

is it the website or the app?

I would wait until they finish the full scan of the site before downloading anything.

hopw to run the new tool?

When they say its safe. Uninstalls all jar files

I scan it when i hear this problem ,it shows green word that mean i'm save or not

does deleting and reinstalling windows system help

fuck

that is the source code

If it said that there was nothing, just block the IP on the firewall (link https://prismlauncher.org/news/cf-compromised-alert/) and don't use moded minecraft for the time being

it's ok, but don't play minecraft modded right now

So it's ok to play 1.20 server with none mods?

Yes

I don't have the knowledge to tell you if it's safe right now

e everything save, there is also a issue iwth plugins btw, so dont use them

i hope creator of that brutally killed and tortured

Official Prims Launcher Page

Is allthemods safe?

Meant to take a screenshot with the address bar but jinxed it

Ah, it's said that is the malware origin IP, so blocking it serves as a deterrent: "@PandaNinjas has reported:
use your firewall to block outbound connections to 85[.]217[.]144[.]130, and modify your hosts file to include 0.0.0.0 files-8ie.pages.dev On linux add that line to /etc/hosts, on windows add that line to C:\Windows\system32\drivers\etc\hosts"

Let’s go to the owner’s house

https://hackmd.io/B46EYzKXSfWSF35DeCZz9A#Stage0-Infected-mod-jars:~:text=lib%2C Union lib-,Stage0 (Infected mod jars),-Affected mods or

Wascurseforge hacked????

It explains the origin.

And I believe not since it seems to be offline

Yes sadly

What does that mean if I have curse forge????

Is allthemods safe from the malware?

No mod nor modpack is safe for the time being. Abstain from playing modded minecraft until it's safe

Something for the modpack devs I however run my own server and am not finding my arm8 modpack compromised

Any minecraft or just curse forge??

Only the mods have been compromised, not the app

Refrain from downloading, updating, or otherwise running any mods for the time being

Should also note that atm8 is being very nonchalant and just saying "don't cry wolf" which irks me but thats neither here nor there

Alr thanks

wdym

i didnt touch app for the past two days

Any modded mine raft or just curse forge?

Unninstall all your mods

Doesn't mean anything. Infected files have been found to go back to april

All moded minecraft, no matter the origin of the mod

i cant use my computer rn

I should uninstall all mods?

Noone said that?

Correct

?

If the malware was found, should I reset passwords and stuff

Something is getting lost in translation. You just said your computer was unusable...

This applies if it hans't activated stage 0 as far as I understood

question, if i use a modpack on curseforge which will not automatically update, and none of the mods are infected, would it still be safe to run said modpack

Safe than sorry. Enable 2fa etc

i meant i am away from it

?

Theoretically yes, but you'll want to be extra cautious if you do. We don't know full scope

It should be safe, but it would be better to wait this out.

are those malware?

Also, run the detector and antivirus before and after you play the modpack

is that the scanner tool

Im not even gonna open my computer til this gets solved

have done that

Possible but hard to tell. I'm not seeing the ones it would normally find for it here

malwarebytes

free or premium

you need to run the mods for getting infected ig

i've run my antivirus + both detectors currently available just to be safe, and i did it right after the modpack started again, planning on doing it when i close the modpack just to be safe

would virustotal detect fractureiser if i were to say upload a mod jar to it?

free

Wait so I can't even uninstall??????

Here @digital roost

the only thing i downloaded since april is dawncraft

i decide to delete windows and reinstalled it

Change your passwords right after if at all possible

So what am I supposed to do right now?

you only need to do this if you've been infected with a stage after stage 0
and really only at stage 3
but you should be cautious regardless

I would cry if my account got stolen

The only way i found out about this is from AT Launcher, do they not have any warnings on curseforge?

https://support.curseforge.com/en/support/solutions/articles/9000228509-june-2023-infected-mods-detection-tool/#How-do-I-know-if-I-am-infected?

change all your passwords now

Personally, I am changing my passwords anyway. I don't have the malware, and I am fairly certain I have gotten rid of all possiblle infection points.

Not to be paranoid or smth but what if the scan itself is a virus made by hackers that hacked the admins discord accountl

It’s not lol

What if they did though?

What if i dont have any of the mods installed that were infected

The admins still have access to their account

You should still be careful of playing MInecraft Modded

just dont run any mod till the devs say its safe

I use lunar normally to play mc

The list is growing. Download at your own risk.

That doesnt matter: Stay away from Modded Minecraft until this Issue is resolved its for your own safety

If I didn't run minecraft am I safe?

Pretty funny one too

I barely play modded MC as is but ill stay away from mc but what if its running in the bacground like in my taskbar

yep

If you downloaded or updated any mc mods through forge the files would be on your computer, you don’t have to run it

Aoght might just play fortnite until they say it's safe ngl

What if curseforge is running in the back ground

It should be fine

May 20th???? I did play at may 20th modded minecraft

It wouldn’t automatically be downloading anything unless you downloaded or updated any mods. Just having it open is fine

I played modded after may 20th…

manual install supremacy tbh.

I am so glad CF is manual install

Y’all just run the checker, it’ll solve your worries !

I play modded MC every day...

But the detector said there was nothing

Is the checker safe?!?!

the checker is a bomb

this good right?

Then you should be fine

All the detectors provided by the CF team are safe.

I think I did

So i should run the scanner

Yes. If you play anyway, run the scanner afterwards as well

Last i played was RL craft and its like 1.12

Ah alright thank you I was scared (also just to answer the question the modpack was pixelmon)

Wait am I not 100% safe from "stage 0" (idk what it means)

how do u run it

The detector cannot catch St0 mods, only S1-2.

Stage 0 is the dormant stage of the malware.

can we still play our old ones?

how do i download the checker

where do i download the malware scanner?

Head to #📢︱news

So should I run it every few minutes ??
Also what am I supposed to do if it gets to stage 1 2 or 3

I just heard about the mods. Before this was announced, I found 68 corrupted file on my computer. Which was odd because my mod list didn't change. I had to completely wipe my computer. However it is possible I still have the corrupted files in my external hard drive. I would like to speak to someone about investigating these files. I suspect that the corruptions were installed through an update.

Personally? I just run it before and after. I loaded up MC and immediately did a scan to ensure my game didn't launch with corrupted .jar

Stage 1, 2, and 3, I do not know. I am not an expert, so I can only offer my opinion, which should be taken with a grain of salt.

So stage 0 is what is hidden in the mod or plugin. It connects to a random server that is at the moment not online. This means that stage 1 can not be executed on your computer right now. It is however possible that the server comes back online eventually. So I would refrain from playing recent mods at the moment

i ran the gradlew thing on nekodetector. how do i actually tun the detector?

From what I know, it is not actually complete.

Doc has been changed they recently tried to stand up a new C&C

can someone send me the link to the scanner

ok,thank you.

As long as the provided scanner says that there's no stage 1/2, I'm good to delete any of my installed my mods, right?

Yes but the C&C is for stage 1 and stage 2, since the IP adress that is taken down was hard coded in stage 0

Thankfully

That's what I did. I torched my mods once I checked for stage 1-2

can you send me the scanner?

I did....

Aight, bet. I ain't gonna get caught playing with fire ✌️

who do you use neko

https://support.curseforge.com/en/support/solutions/articles/9000228509-june-2023-infected-mods-detection-tool/

time to torch mods and curseforge

CF itself is fine. Just the mods atm.

So they're not stealing my information in stage0?

That happens in S3

Nope

Just torched all my mods and deleted all backup profiles and mods

St0 is the dormant phase, where it waits to be executed.

S0 evokes S1; S1 evokes S2 and S2 evokes S3. In S3, they steal your data

does the malware scanner detect the malware in all stages

No, only stage 1-3

i ran the scanner and it says nothing was detected

and stage 0 is wahts within the mods befor theyre ran in jvm?

Yes

nothing was detected for me so i destroyed my mods and mod packs

does that mean im safe to use the mods i have

I recommend to torch the mods for now.

So technically if you destroy everything mod related and run the scanner you should be fine.

can i just quaranine my mods? (none are infected)

At the moment, since stage 0 is dead (temporarely?). But, I would not risk it if you have have recently updated any mods

does torching them mean deleteing the mods and removing them from my mods folder completely? and deleteing them with reclying bin

Yes

I haven't launched curseforge for a while, and uninstalled it & all mods when i heard of the situation
also ran the script and detected nothing, am i good?

ive recently installed some, but dont update mods ever unless theres an issue with them

i executed the detection tool and everything seems fine, i haven't downloaded a mod from curseforge from at least 1-2 months ig

How do you know if they're not infected. If I was you, I would have taken a screenshot of the mods you have so you dont forget them, delete everything and reinstall em when everything will be fine.

Yes, but only (that we now if) once it infected the system

ran them in a vm, plus theyre 2+ months old

just unistalled curseforge

ive installed two mods recently, the curios api and the one probe (1.18.2)

Curseforge is actually safe.

Then you should be fine, but If you want to be absolutly sure, just wait with playing until the storm has cleared

well for the time being just to be safe i uninstalled

All traces of mod files need to be completely annihilated in order to minimize chances of infection, in my opinion. As long as they are not in an active state, you have your chance to torch them.

yeah i understand you

so delete the mod folder completely?

ik, thanks!

is DetectionTool-0.0.1.exe the one that im supposed to download?

When you download a mod yesterday but detector says clean

Safe your worlds, and delete the .minecraft folder. That's my advice

Might as well. CF will create a new directory once a mod is downloaded.

Which big modpacks had the sht mod UltimateLevels?

other than those two i havent installed any in a while, does the detection tool scan the mods you have downloaded or is it just looking for issues from them?

Yes

When virus

fuck my Worlds ill delete my whole thing

yea fuck dat im deleting it all bro 😭

It scans for a fake Microsoft Edge directory that the malware creates, and another one which I am not sure about.

why cant antivirus programs detect this tho

It scans for when the malware has succesfully executed, but it can not detect at the moment if your mods are infected

But there is also a script you should run, and a bat file.

what is that

Is the virus stuff affecting Forge, Fabric, or both?

Both

it says there was no malware but should i still be wary

Both, from what I heard

Look at #🧱︱mc-other-help, there is a .bat file

It checks the startup programs in the local appdata folder

Yes

okay i ran it and it said there was nothing

Yeah. The malware creates a fake directory within the folder. A telltale sign of whether you have it is if the 'Microsoft Edge' directory has part of the name as 'Microsoft Edge'. There is no space between those in the official directory.

I just wanna say that we should all thank our devs for the work they're doing, but to stay 1000% safe, you should delete everything that is mod related and run any antivirus possible.

also, my minecraft launcher icon changed, is this because of the 1.20 release? or is it an effect of the virus. this is the launcher that curse forge opens, not the default one since the other one(the one with bedrock) was worse

There are actually 3 tools to scan if you have the malware.

I think so, there is no sign that the malware changes the icon

oh the default one cahnged to

The malware shouldn't affect vanilla MC or the MC launcher.

i also dont have the MicrosoftEdge directory without the spaces

bro you should immediately factory reset your computer

so microsoft edge is a fake?

MicrosoftEdge is safe. Microsoft Edge is the problem.

They are unsure, the code shows that stage3 tries to inject the same payload in vanilla. But if it works

only type of microsoft edge i have is a shortcut bc its my main browser

woah wtf

Yikes. Did not know that.

Is this message from Curseforge or a mod?

What does stage 0 is dead mean?

The servers to run stage 0 are actually off

Which big modpacks had the sht mod UltimateLevels?

I cannot run Curseforge, what do I do, it says "Seems like we would not load Curseforge."

St0 atm is not working as the server is off

Why it began in April, it's still stage0 now?

wdym??

The servers hackers use to run the virus dont work

what would the fake microsoft edge look like?

cause i have one thats programdata and one is a onedrive

So, stage 0 is what is inside the affected mod. It tries to connect to a server, like as you would call a phonenumber. But, at the moment the phonenumber is dead (i.e. server is dead). So there is no communication

If the file directory has a space between 'Microsoft' and 'Edge', it is not the official directory and is part of S1 of the malware.

hey not related to minecraft, im having problems loading curseforge for other games, it just gets to here and sits (mspaint over stupid advertisment)

dont run curseforge

if the issue is only related to jar files then why?

guys this is the updated link for the guide

CF is fine.

If I didn't downloaded a mod for a big while, am I safe?

https://github.com/fractureiser-investigation/fractureiser/blob/main/docs/users.md

Download the scanner and check.

Btw, for those intreseted, the second C&C is dead

i can the scanner and it still says i have no malware

Perfect

I did and it says I'm good

i was about to ask if links were allowed so i could send this lol

Oh lmao

whaat is that link?

Fractureiser is the name of the malware, this page explains in basic terms what is going on

Is it sure the scanner can totally discover the malware?

It discovers malware in S1 and S2.

all the guide you need

But now is S0, how does the scanner work?

What does that mean exactly? The author can’t tell the installed malware to execute or sum?

are Macs currently affected by the malware?

Mac is safe

great, i just won't touch CurseForge, other than i delted the modpacks that i recently installed to be safe

The scanner searches for two directories created by the malware. This is how to determine whether you have reached S1.

C&C means command and control

So, the malware needs a server to communicatie to. C&C means, command and control. When this server is gone, the malware doesn't have anything to communicate to.

Ty lmao

So does that mean the malware is still present, just can’t send info back?

Yes

Just deleted it all and shut down my computer completely

Yeah. It is why I deleted every single mod file.

guys soon devs will give us tools to delete the malware completely

Which will be amazing.

So is there away to stop mod packs being updated for now?

it was discovered yesterday, give em time to learn more about it

So there is no way the virus can get higher than stage 0 rn?

So if it's in S0, the scanner can't find the malware?

They are manually updated, not automatically.

So i'm assuiming its still not safe to boot minecraft right?

Exactly

I doubt I have anything the scan came up clean and malwarebytes said there was nothing there

I don’t believe I ever had the malware, never showed up in my system. But imma still run whatever software they make to get rid of anything I maybe missed

It only detects s1 and s2

malwarebytes :D

soon a tool for that will be released

Goes brrrrrrrrrrrrrrrrrr

So if I run the scan and it says no virus I'm 100% safe (for now)

how do i turn off those annoying things
the superreacts

Still gona play Valhesisa 5, also rip the new life smp lol hope those famous minecrafters are aware of this problem, this virus might ruin that

aint it that nekoscanner jar? last i checked, it was still being made

can optifine also be affected by this

lmao you cant, that why we pay for nitro

Yep. It acts as a sort of trojan horse, and requires you to execute a jar file in order for it to spread. This, in turn, creates the fake directories

Remember, I am not a professional. Take my words with a grain of salt.

Does the virus go progress at the same time for everyone with it installed? If the C&C was up like would the hacker “press a button” and progresses it to stage 2 and so on

no, the scanner can only detect stage 1 and 2

for you to see them lmao /j

🙉🙊

can i redownload my mods from modrinth and it would be completely safe?

well then fuck off with them theyre annoying

BUT if you go to the github page of HackMD, you will see that a new stage0 scanner is being built

lmao

Nekoscanner can detect stage 0

I know. I was just explaining my idea as to how St0 progresses to S1. That is why it can be found.

go study cybersecurity so i can take it with a pinch of sugar

there are 5 uses per week

c++?

Happily, friend!

Being a professional hacker for like the FBI or sum would be a sick job Ngl

like a whitehat hacker?

these shellscript things in the fractureiser info thing, do i run this by just copy and pasting them into powershell or something?

nah you'd probably sit on a chair for 12 hours straight and pointlessly stare at a terminal

GUYS DOES MALWARE AFFECT FABRIC MODS?

Putting on a suit and tie to go hack some poor sod

All mods, anything, every single one them

You can see it as a burglar scenario. There are 4 burglars (stage 0, stage 1, stage 2 and stage 4) and one boss (C&C). Every burglar invites a new one, by calling them. At the moment there is no communication between burglar 0 and burglar 1. So burglar 1 can not be called. However, burglar 0 is still in your house and we don't now if he will ever be able to communicate again with number 1. Burglar 0 is however stupid and won't do any damage. If all burglars are however inside your house, they communicate with the boss and steal things. Right now also that communication is broken (but has been reinstaded again in the past), so they can't steal anything.

burger scenario

burg

Who "killed" the server the hackers or curse forge? And can the hackers turn it back on?

love the simple explanation. wish this was pinned fr.

The server host, so not the hackers

Alright thabks

ik this is probably already been asked but if i haven’t used curse forge in a week or two would i be fine?

still wondering what this is about, and how to use these

I love how i started a youtube series on a minecraft modpack, and now i can't even play it 😦

aight thank you!!

So I should use the scanner before unloading all mods or after?

https://github.com/fractureiser-investigation/fractureiser/blob/main/docs/users.md

request to update #📢︱news with this link 🙏

ok

why is it called fractureiser?

If the malware is in S0, after I unload all mods, am I safe?

its the name of the account that spread the malware, among other accounts

Yes, but delete them

gotcha

Thank u guys very very much

how do you run the scan? all it gave me was a gradle.bat file and some other weird stuff

the things here, in this screenshot from that fractureiser investigation page, seem to detect s0 stuff, yes?
how do i run those then

^

I don't think it does. If you have not found any malware just delete all mods

there needs to be something to fix this, i spent awhile setting up that modpack and i dont feel like doing it again

And for the scan, go to https://discord.com/channels/428228256236306434/525372338653626389 where you can download it from CF

i did that scan, i read that it only detects s1 and onwards

so if they arent infected, i do not plan on removing them

It will take untill tomorrow until CF has scanned al mods, so nobody know atm how many mods are infected

It is at your own risk

that is why im asking about how to run the things in there, as it seems to have some kind of s0 detection

does the scanner scan all files?

the cf scanner checks for s1, it does not scan any files for s0

ah

im still trying to wrap my head around that s0 detector. it feels like a file or two is missing.. maybe wait for a proper release?

Both scripts are .sh (I think those are the ones you mean?), and these are made for Linux. Running them on windows is advanced and you should google it. Both scripts however warn for false positives/negatives so it should not be trusted

what if i use fabric?

Fabric mods can also be affected

how would the issue get fixed btw?

so they are for linux. thanks for the clarification!

like what would be the solution?

All infected mods will be deleted on CF, and maybe CF will mass auto-update infected modpacks. But the only other solution will be deleting infected files, so there will probably a warning or something on the website

And a tool that deletes the dangerous files for users who have no clue about these things :p

alright alright hopfully will be fixed soon 🙂

does malware spread only when the game is launched?

I'm curious if it's even safe to open minecreaft thru CF

Is curse forge minecraft icon supposed to be a Ghost faced creeper?