RairiiJun 7, 2023

oh wow

technical information on the curseforge compromise https://hackmd.io/B46EYzKXSfWSF35DeCZz9A

apparently it's an actual virus in the original sense of the term, a JAR infector!

...and the code added to infected files hardcodes a C2 by IP address to get the next stage lol

they tried to hardcode a backup on cloudflare pages but fucked it up

imagine if they'd actually used a DGA or something lol

the final payload includes a stealer because of course it does

`fractureiser` - What We Know - HackMD

Show threadhalcy​ Jun 7, 2023
@Rairii honestly extremely good insight that mod developers probably also run modded minecraft with other mods so you can compromise their tooling and spread that way as a part of legitimate mods and essentially cause infinite damage
Show threadRairiiJun 7, 2023
@halcy wonder if this turns out to be like wcry in that they accidentally started spreading before they were ready to
Show threadhalcy​ Jun 7, 2023
@Rairii that'd be Very Funny but also the doc says some modpack updates were uploaded WEEKS ago so that does seem like ample preparation
Show threadRairii
@halcy true, but still a slight possibility given that it's a JAR infector
Jun 7, 2023 at 7:59amWeb
Show threadhalcy​ Jun 7, 2023

@Rairii man the fallout from this is kind of wild

I guess in a sense it's actually lucky that *most* mods go through curseforge at some point because they can at least detect and block on upload now and halfway contain this, maybe

Show threadhalcy​ Jun 7, 2023

@Rairii block on upload *and* make everyone reset their passwords lmao

jesus christ

Show threadRairiiJun 7, 2023

@halcy apparently one account on curseforge got compromised belonging to a luna pixel studios dev

i wonder if the malware author didn't realise the potential scale of what they were doing with the JAR infector

Show threadhalcy​ Jun 7, 2023

@Rairii how does this even get cleaned up?

like. right now an unknown number of mod author machines are compromised, accounts also, mmmmaybe if the C&C server is down they can at least not be re-compromised but do you really want to rely on that?

essentially every minecraft mod repository or forum where people upload those or anything else really has to immediately turn uploads and probably downloads off, add some form of scanning to block *this* version, reset everyones passwords, at minimum, if you're an optimist and assume that recompromise of accounts followed by uploading a new undetected version isn't possible

Show threadhalcy​ Jun 7, 2023

@Rairii (also ideally mod authors also reset all their other passwords like their e-mail password because, well, you know

what a mess)

Show threadRairiiJun 7, 2023

@halcy

stop playing minecraft

every skid with a bit of imagination somehow manages to hack half the planet every few years

years of work but no real use found for games written in java

wanted to explore a procedurally generated world anyway for a laugh? we had a game like that already it was called infiniminer

"yes let's send several tbps ddos ovh because we're trying to extort this gameserver" "this game server uses a single thread for everything" - statements dreamed up by the utterly deranged

look at what minecraft devs/users have been demanding your respect for all this time, with all the things that were built for them:
bukkit (???), mirai (?????), microsoft being sent every message in ingame chat on every server (????????)

"hello i would like to kill creepers to make tnt please"
they have played us for absolute fools

Show threadhalcy​ Jun 7, 2023
@Rairii honestly now that you describe it as this I'm actually all in favour
Show threadhalcy​ Jun 7, 2023

@Rairii it just keeps getting funnier

here's hoping spread is more limited and this is just overabundance of caution but man I can see how it might not be

(t/l note: funny means oh shit oh fuck)

Show threadRonflaixJun 7, 2023

@Rairii @halcy Took me a while to get the joke's format.

Also I had forgotten about the chat moderation thing and oh boy, what a weird decision.