Just a bit of a PSA here for anyone diving into Minecraft modding, as recently there's been a problem on both CurseForge and Bukkit with malware.
There's been a lot of reports on this and the situation has been moving pretty quickly, but for now you should stay away from downloading any Minecraft mods from both platforms. The issue affects both Windows and Linux.
From the report on hackmd and the Prism Launcher post that references it, it seems a bunch of compromised accounts were used to update quite a number of popular mods to insert malicious files. According to the report the issue goes back multiple months, so it's not exactly clear just how wide-spread it truly is and work is ongoing by many people to figure it all out.
This malware seems to work across multiple stages, and both links above show you how you can check to see if you've been affected, which needs you to go hunting in a few places because it will make new files and folders on your system. However, if you were using the Prism Launcher via Flatpak on Linux the malware likely would have failed to work due to the sandboxing. Either way, checking is a good idea.
For a good place to download mods you can look to Modrinth and the Prism Launcher.
If you need a Steam Deck guide for Minecraft check out this article.
if i play on the vanilla launcher, am i still at risk? or is this only affecting modded players
This sounds like it's specific to mods on those platforms; vanilla should be unaffected as there's no word of any sort of related compromise on the Microsoft / Mojang side.
That said, I was having issues with their authentication service last night so I'm not sure if they're aware and potentially taking things offline temporarily to audit them or not. Safest is always 'not to play at all until everyone gives the all-clear', but personally I think the risk is minimal if you're just on vanilla with the official launcher.
if i play on the vanilla launcher, am i still at risk? or is this only affecting modded players
This sounds like it's specific to mods on those platforms; vanilla should be unaffected as there's no word of any sort of related compromise on the Microsoft / Mojang side.
That said, I was having issues with their authentication service last night so I'm not sure if they're aware and potentially taking things offline temporarily to audit them or not. Safest is always 'not to play at all until everyone gives the all-clear', but personally I think the risk is minimal if you're just on vanilla with the official launcher.
To clarify, a part in this malware attempts to infect any jar files it can find. If you've never downloaded Minecraft mods before you should be fine but the actual original vector cannot be determined as it could have come from anything targeting jar files. It still does seem likely this was targeting the Minecraft modding community though.
However, if you were using the Prism Launcher via Flatpak on Linux the malware likely would have failed to work due to the sandboxing
As much as people like to harp on about the size of flatpak / snap and their failings vs regular packaging methods. It's nice when we get to appreciate the positive sides of application sandboxing and even as per the recent article, new technologies like immutable file-systems.
btw as a reminder don't forget you can further restrict flatpak's with flatseal and should someone argue that even flatpaks can be compromised, as an example i am using my password manager inside a flatpak + i have network functionality + external device access turned off for it too.
https://flathub.org/apps/com.github.tchx84.Flatseal
Last edited by Lofty on 7 June 2023 at 5:59 pm UTC
as an example i am using my password manager inside a flatpak + i have network functionality + external device access turned off for it tooWhat does that do? Where does it store the sensible data? How does the flatpak partial sandbox protect the passwords from getting stolen during usage?
The sandbox can potentially (!) protect the host from something inside a flatpak but not the other way around.
as an example i am using my password manager inside a flatpak + i have network functionality + external device access turned off for it tooWhat does that do? Where does it store the sensible data? How does the flatpak partial sandbox protect the passwords from getting stolen during usage?
The sandbox can potentially (!) protect the host from something inside a flatpak but not the other way around.
maybe im too paranoid or looking at this from the wrong angle then 🤔️. My (admittedly, probably wrong) thinking would be that whilst my application which has browser integration and various network agents running is open and my computer is connected to the internet, turning of the ability for the application to be able to even be accessed by network traffic would help.
i guess im wrong but then il still do it because it makes me feel good
Last edited by Lofty on 7 June 2023 at 8:10 pm UTC
I created a new FTB server on April 22 and it appears to be OK, thankfully.
btw as a reminder don't forget you can further restrict flatpak's with flatseal
I really like Flatpak for exactly the reason that it makes sandboxing stuff (especially proprietary things like games, but of course other things, too) so easy and convenient.
BUT i would almost go as far as not saying 'you CAN further restrict' but to say 'you SHOULD look into flatseal (or the like).
It's not as common as some flatpak-critiques make it sound, but there are indeed more than enough apps that just request full access to the filesystem or the home directory - so checking and adjusting (at least!) file access after installation is almost a must in my eyes!
Last edited by Termy on 8 June 2023 at 7:28 am UTC
turning of the ability for the application to be able to even be accessed by network traffic would help.Sorry for the late response.
I don't want to discourage you, but I want to point out that it is better not to feel too safe due to some promise of sandboxing.
See more from me