Send this to anyone who was playing modded Minecraft on work machines. Or anyone playing modded Minecraft at all, really!

New Comment
5 comments, sorted by Click to highlight new comments since:

That link is weirdly embedding rather than just redirecting or referring to a github page.  It doesn't seem malicious, but Firefox at least complained that it violates GitHub's content-security policies on their pages.

https://github.com/fractureiser-investigation/fractureiser seems to be the correct underlying content.  I'd  also recommend you retitle this to "Minecraft mod users beware", as there exists at least one gamer who does not use Minecraft mods.

It does seem like impressively dangerous malware.

Place your (fake) bets on whether this was caused by ChatGPT or one of its cousins! https://manifold.markets/GarrettBaker/did-a-llm-contribute-significantly

Thank you for heads up!

Could you please clarify for parents like me, who don't fully understand Minecraft's ecosystem and just want their kids to stay safe:

1. If my kids only use Minecraft downloaded from the Microsoft Store, and only ever downloaded content from the in-game marketplace - what's the chance they are affected?

2. Am I right in thinking that "mods" = "something which modifies/extends the executable", while "add-ons"="more declarative content which just interacts with existing APIs, like maps, skins, and configs"?

3. Am I right that "Minecraft from Micosoft Store" + "content from in-game marketplace" would translate to "Bedrock Edition" + "add-ons"?

4. Am I right that the fractureiser affects "Java Edition" + "mods" only?

As someone who played modded minecraft (but I am not the OP, who might have more accurate information and a better understanding)

  • Minecraft downloaded from the Microsoft store is indeed the bedrock edition. If I understand correctly, this version is not affected.
  • Mods are indeed pieces of code which modifies/extends the executable. Some add-ons seem to be very complex, and deeply modify the game (at least from the users perspective), so I'm not sure how clear-cut the separation is here
  • Minecraft bedrock indeed has add-ons, while Java has mods. Only mods are affected.
  • (Not really one of your questions but I think it is relevant). Mods are very easy to download, there are some marketplaces for mods, most notably curseForge. From the user perspective, on curseForge, one can browse through the mods (like an appstore), then click on the install button, and it is downloaded and auto-installed. No more technical knowledge than using the appstore or google play store is required. The virus was embedded in mods on curseForge.

In short, if your kids are on bedrock, then your computers are probably safe.

The malware is embedded in multiple mods, some of which were added to highly popular modpacks.

Any info on how this happened? This seems like a fairly serious supply chain attack. I have heard of incidents with individual malicious packages on npm or PyPI, but not one where multiple high profile packages in a software repository were infected in a coordinated manner.