Take me to...

What happened?

Following reports that we received we found that a malicious user has created several accounts and uploaded projects containing malware to the platform. We have banned all accounts relevant to this.


In collaboration with the author community, the CurseForge team has undertaken a thorough investigation to address this issue promptly and ensure that such malicious actions are prevented from happening in the future. Our primary objective is to provide a swift resolution and implement preventive measures.


This article will provide you with instruction on how to use a detector tool that will help you identify if your computer has been infected.


How do I know if I am infected, and what to do?

First look at the list of project at the bottom of this article. If you know you haven't downloaded any of those projects in the past month, you should be safe.

Also note that this malware only infects Windows and Linux, not Mac.
That being said if you're not sure, or want to check to be sure, proceed below.


There are 2 steps to take to make sure you are safe:


Detect if you are already infected

  1. Download the detection tool from here (Windows) or here (Linux) and run it. GitHub project can be found here.
    This tool will check if you are already infected. The tool will provide a list of the files detected on your PC.
    See example below:
  2. If you’ve run the detection tool and was found to be infected, first make sure to display hidden files.  
    On windows simply go to to the top of your file explorer window(any opened folder) and click View>Check "Hidden Items"

  3. If you still don't see the files after showing hidden items, go into View>Options and remove the check from "Hide protected operating system files". Click Yes on the warning. You can hide them again after deleting the infected files.

  4. Go to each file destination and delete those files.
    Delete the "Microsoft Edge" (with space) folder completely. Normal Edge folder is without space in the name. This malware specifically creates a folder with the space in it.

    Additionally to the above steps if found infected, as a safety measure we recommend running independent malware scanning tools and changing any important passwords you have.

Detect if you have any dormant / other infected mods/Jar files

  1. After completing the previous step, run the Jar Malware Scanning tool for to be sure if your other mods that are not on the list below have been infected. This tool scans for stage 0 vulnerability and will be able to detect any infected Jars.
    Run the tool linked here. Full Github here.
    Make sure to run this tool even if you were not found infected in step 1

  2. Use the tool to scan all folders that contain Minecraft mod Jars installed on your PC.
    Click "Browse" and choose a folder that contains jar files, then click "Scan". This will check the selected folder and all it's sub-folders.

    If an infected file has been found you will see a message. See the example below. In that case, delete that Jar.
    Make sure to cover all folders on your PC containing Mods/Packs.



Live list of confirmed mods that were infected (Last Updated - 06/11/2023 08:53 UTC)


Projects that were infected and are now fixed:

Most of the projects from LunaPixelStudios - It is advised to ensure that you have the latest version of any modpack, as the necessary fixes should already be available for those modpacks, and the infected files deleted.


Mods

Mod NameTotal non-unique downloads at time of detection

1. Buried Barrels

5

2. Sky Villages [Forge/Fabric]

481

3. Simply Houses

169

4. Skyblock Core

44

5. When Dungeons Arise -Forge/Fabric

1,248


Modpacks

Modpack Name
Total non-unique downloads at time of detection
1. Better MC [Forge] - BMC3
1,040
2. Medieval MC [Forge] - MMC3
246
3. Prominence [Forge]
23


Projects that are infected and taken down permanently:


Mods

Mod Name
Total non-unique downloads at time of detection

1. Golem Awakening

11
2.Phanerozoic Worlds
283
3. Autobroadcast
21
4. Museum Curator Advanced
48
5. Vault Integrations (Bug Fix) *Note - Not the Modpack Vault Integrations
160
6. dungeonx * Note - Not DungeonZ
1,227
7. More and Ore advanced
257
8. Anti ChatReport
61
9. Additional Weapons+
644
10. Create: Diesel and Oil Generators
366
11. Ultra Swords Mod
445
12. Simple Frames
41
13. XPClumps *Note - Not Clumps
50
14. Target Dummy
33
15. Sleeping Bags
50


Modpacks

Modpack Name
Total non-unique downloads at time of detection
1. UVision ENHANCED(server pack only)
2
2. UVision Server(server pack only)
1
3. UVision LITE (server pack only)
2


Bukkit Plugins

Bukkit Plugin Name
Total non-unique downloads at time of detection
1. AmazingTitles
27
2. HavenElytra
83
3. DisplayEntityEditor
23
4.The Nexus Event Custom Event
15
5. SimpleHarvesting
20
6. McBounties
18
7. Easy Custom Foods
21
8. AntiCommandSpam Bungeecord Support
12

9. UltimateLevels

12
10. AntiRedstoneCrash
11
11. hydrationPlugin
33
12. NoVPN
14

13. Fragment Permission Plugin

29
14. Skelegram - The Skript Telegram Addon!
17

15. AntiCrashXXL

78

16. Holographic Plots

39
17. Beacon Waypoints
31
18. Treecapitator
264
19. PaperCurrency
24
20. The Auction House
103
21. AlwaysChicken
30
22. Tpa Deluxe Simple Teleportation
286
23. Floating Damage
151
24. MinecraftGPT
27
25. DoubleJump Plus
30

26. SculkInvasion

40
27. SimpleHealing
15
28. Vanilla Challenges
31
29. TPS Bar
66
30. SemiHardcore
41
31. TNT Tag Minigame
34
32. Command Timers
45
33. InstaSmelt
22
34. Neo Performance
45
35. Chat Games
22
36. ServManager
34