Not JoeJun 7, 2023
Prism Launcher

Multiple sources are reporting that popular projects on CurseForge might have been compromised. Avoid downloading anything from CurseForge for the time being and check if you might be already affected.

Read our blog post for more information: https://prismlauncher.org/news/cf-compromised-alert/

Prism Launcher - [MALWARE WARNING] "fractureiser" malware in many popular Minecraft mods and modpacks

Malware is being distributed through Minecraft mods and modpacks mainly through CurseForge

Jun 7, 2023 at 5:22amWeb
Show threadPrism LauncherJun 7, 2023
Update: The working group investigating this malware has found code that hints at self-replication capabilities. It is currently unclear if these capabilities have been used at all. We recommend being on the safe side and not launch Minecraft for now.
Show threadMOVING > https://cooltrans.men/SympathyTeaJun 7, 2023
@PrismLauncher meanwhile this is how curseforge is handling the situation
Show threadKSP AtlasJun 7, 2023
@PrismLauncher Flatpak should be immune, right
Show threadLisPiJun 7, 2023
@PrismLauncher I guess that is yet another argument for source-based distros with vetted maintainers.
Show threadWitch Aly   Jun 7, 2023
@lispi314 good idea in concept, just a lot of people dont know how to compile anything
Show threadLisPiJun 7, 2023

@ezio Guix and Nix show how you don't even need to know that as a user.

As far as you're concerned, installing with binary packages from the GNU build-farm or building from source when there's no such substitute repository available uses the same command (you can however force to always build yourself).

Arguably so does Gentoo, but I've never used it.

Show threadegyp7Jun 8, 2023
@lispi314 @ezio if an attacker could infect a binary distribution, they could infect a source distribution. I don't think you really gain anything by shipping source.
Show threadLisPiJun 8, 2023

@egypt @ezio Well, what I'm getting at is more that very often mods don't come with any source whatsoever and are entirely closed-source blobs, so you can't build them yourself.

Changing that and making it expected if not outright mandatory to provide the project source would help a lot.

It would also diffuse exposure as not everyone would be downloading binaries from the same single vulnerable repository that if successfully compromised would maximize deployment potential.

Show threadnevJun 8, 2023
@PrismLauncher thanks for the heads up!