A planned attack was launched against the Minecraft modding community, which compromised CurseForge and Bukkit modder accounts, and injected many popular mods and modpacks. Once downloaded, these modified .jars ultimately try to infect every .jar on your system, all of which can then:
- Steal cookies/login information in your browser
- Replace cryptocurrency addresses in your clipboard with alternates, presumanbly owned by the hackers.
- Steal your discord login credentials
- Steal your Microsoft & Mojang account credentials.
This malware is not detectable by things like Windows Security & Firewall, if you're concerned you may have downloaded one of these hacked files, follow the steps below:
You can check whether the malware ever ran on your computer, since the malware attempts to save files at several unusual paths:
Linux: # ~/.config/.data/lib.jar
Windows: # AppData\Local\Microsoft Edge\libWebGL64.jar & AppData\Microsoft\Windows\Start Menu\Programs\Startup
On windows, the file Microsoft Edge SHOULD NOT EXIST, the actual Microsoft Edge folder does not have a space in it: MicrosoftEdge. If you see a folder with the space, it's very possible that the malware has run on your computer. Same goes for the .config/.data/lib.jar on Linux; it shouldn't exist.
This is a very serious and dangerous threat, as IF you've been infected, you have to assume every .jar file on your system is infected. You're advised to remove them all, as well as the paths that shouldn't exist mentioned above.
For all the details, read https://github.com/fractureiser-investigation/fractureiser#non-technical-overview-read-me
Please be safe, and DO NOT download mods or plugins at this time.