Safeguarding our community: CurseForge Fighting Malware Incident Report
On CurseForge, we see millions of players browse the seemingly endless library of mods, modpacks, addons and custom content every single day. They discover exciting new adventures and worlds to try out, tools and addons, and unique sets of clothes and body customizations — all enhancing their game experience, or allowing new ways to express themselves. It’s a journey of creative discovery, which players regularly embark on, and immerse themselves in.
Trust
But, for players to embark on this “journey of creative discovery”, they must trust the platform will ensure their safety and security. Trust, forms the bedrock that enables the vibrant UGC ecosystem to thrive. It is through this trust that players feel safe to explore and try new content, confident that their journey will be safeguarded every step of the way.
Hence, we designed a meticulous 3-layered moderation process for CurseForge -
- Layer 1 — Automated Tests. All files uploaded to CurseForge undergo a series of over a dozen of automatic tests, including several anti-virus scans, file structure scans, compliance tests and more.
- Layer 2 — Manual Moderation. Each time a project is created or updated, the project page is manually reviewed to ensure it meets the game developer’s guidelines, and does not include offensive content such as profanity, nudity etc. In addition to that, any file that triggers suspicion during the automated tests is immediately flagged for manual moderation. A security expert at Overwolf will then conduct additional tests, as well as live-testing the uploaded mod file within the game environment, when relevant.
- Layer 3 — Community Reporting. We deeply value the modding community, and maintain open lines of communication with modders, such as closed Discord groups. In addition to regularly discussing feedback with the CurseForge dev team, modders use these active channels to report potential issues or suspicious mods. Additionally, the “Report a Mod” feature allows anyone on the platform, both players and modders, to flag it for inspection.
We recently faced a targeted malware attack against the CurseForge platform and several Minecraft projects. We want to take this opportunity to provide you with a detailed account of the incident, the actions taken, and the collaborative efforts made by our community to address the situation.
The attack on CurseForge — what actually happened
On June 7th, a malicious actor launched a targeted attack against the modded Minecraft ecosystem, the CurseForge platform, and its users.
The first step of the attack introduced a new form of malware, which was tailor-engineered to only infect Minecraft mod files (JAR files), thus evading detection by all commercial anti-virus software. Once downloaded, the malware attempted to download additional nefarious files to the user’s computer (harmful payload), accessing cookie files, passwords and login information.
The second step included creating multiple author accounts on CurseForge and uploading infected JAR files — hoping users would download the infected files as benign mods, and spread them to the rest of the community.
The third step happened when Lunar Pixel Studios (LPS), a major creator on CurseForge, had one of their devices infected by the malware. This allowed the malicious actor to impersonate the LPS creators and upload infected files to their popular mod projects.
Spotting the incident and immediate actions taken
The attack was first detected by our modding community, which immediately raised the flag and notified the CurseForge team (showcasing layer 3). A mere few hours in, a group of leading community members were able to spot the specific server from which the malware downloaded nefarious files from, and report it to the hosting company which took it down — effectively disabling the malware’s ability to deploy its harmful payload. This crucial action effectively sterilized the malware, and the damage it could have caused. You can learn more about the extensive work by the community here.
Next, the CurseForge team and the community acted quickly to contain and resolve the incident. In the first 10 hours we:
- Blocked the attacker’s author accounts
- Deleted all project files from these accounts
- Reverse-engineered the malware, and developed detection tools to spot infected files
- Used these tools to scan the entire CurseForge database, identify and remove all infected files
- Released the tools to be used by all users and the community
- Created a comprehensive knowledge base, guiding users on how to scan and remove infected mod files
- Provided real-time updates and information to our users and community, via Twitter and Discord
- Added new automated tests to layer 1, that detects the new malware, malware types of similar nature, and additional types of non legitimate file manipulation by uploaded files
The CurseForge platform typically sees tens of millions of file downloads each day, but thanks to the rapid response by the community and the fast reaction time by the CurseForge team, the infected files were downloaded about 6,500 times throughout the entire incident.
In the days that followed we continued honing the scanning tools, updated the CurseForge moderation process. In addition, with the help of the community we were able to track down the attacker, and notified the authorities which are now looking into pursuing legal actions.
We are happy to share that all infected files have been removed, and preventive measures are in place. The CurseForge app and website are once again entirely safe for use for all games.
Takeaways and next steps
The nature of this attack was unprecedented, both in technical complexity and the ill-intent of the attacker. A tailor-made new malware type, specifically designed to only target Minecraft mod files and evade all known commercial anti-virus software and scans, posed a significant challenge to our security infrastructure. CurseForge’s 3-layered moderation protocol was truly put to the test. Yet with the vigilance and resolve of the modding community, and the rapid actions of the team we were able to address it head-on, and prevail.
We’ve also begun exploring additional security measures, in collaboration with the broader Minecraft modding community. Among the ideas we’re considering are the following:
- Digital signatures: supporting the ability to digitally sign mod files before uploading them to modding platforms, mitigating the risk of impersonation
- More robust 2FA: Improving our 2FA mechanisms, and employing them more broadly
- Product improvements: add a clear indication of what behaviors users can expect from each mod file they download, to allow making more knowledgeable decisions
Lastly, we are extremely grateful and proud of the CurseForge community’s response. The unity and determination displayed by users, creators, and stakeholders were truly inspiring. We’re honored to collaborate with this amazing community — working together to ensure players can continue embarking on the “journey of creative discovery”, and the Minecraft modding ecosystem continues to thrive.
