oh wow

technical information on the curseforge compromise https://hackmd.io/B46EYzKXSfWSF35DeCZz9A

apparently it's an actual virus in the original sense of the term, a JAR infector!

...and the code added to infected files hardcodes a C2 by IP address to get the next stage lol

they tried to hardcode a backup on cloudflare pages but fucked it up

imagine if they'd actually used a DGA or something lol

the final payload includes a stealer because of course it does