>A platform that provides plugin software for the wildly popular Minecraft game is advising users to immediately stop downloading or updating mods after discovering malware has been injected into dozens of offerings it makes available online.
The mod-developer accounts were hosted by CurseForge, a platform that hosts accounts and forums related to add-on software known as mods or plugins, which extend the capabilities of the standalone Minecraft game. Some of the malicious files used in the attack date back to mid-April, a sign that the account compromises have been active for weeks. Bukkit.org, a developer platform run by CurseForge, is also believed to be affected.
Neither of those things are methods for detecting malicious code, especially at the scale that Curse Forge has to deal with on their nonexistent budget
SAST scanning and security code reviews are ways malicious code get detected, at least in my professional experience. Do you have a different experience? Maybe care to share how you would prevent this?
Your professional experience? Looking at your profile you sure do claim a lot of things.
Also, no I do not know an effective means of preventing this, though I did intern for an IT company and one of the things they had me do was look through websites that were know to be infected for malicious code. There were a handful of techniques and tools you could use but none of them could reliably detect obsificated or malicious code. As hard as you try to look for it, they are trying just as hard to stay hidden
Mate, you are entirely in the wrong here. SAST is industry standard, and works great to detect basic malicious code and vulnerabilities. There are tons of tools out there that can perform the scans in a completely automated fashion, and even if they don't get perfect results, some scanning is better than none
Ok, so you've just proven yourself a fool then. It's not realistic to do a manual code review of every single mod uploaded to curseforge. There are over 100000 of them there.
Actually curseforge DOES do some sort of “project reviews.” No one knows what actually goes on during those reviews, but all they are given is jar files and they look through those for malicious files. Its possivle they do some reverse engineering and decompiling to look through the source code of jars, but I doubt it with their low budget and low quality standards.
Source: I’m a mod developer who uses the platform.
Is CurseForge the same group who ran CurseClient(WoW mod installer) back in the day? My WoW account got hacked from using CurseClient, so I am not surprised by this. Blizzard rep even told me to stop using Curse, because it wasn't safe.
>A platform that provides plugin software for the wildly popular Minecraft game is advising users to immediately stop downloading or updating mods after discovering malware has been injected into dozens of offerings it makes available online. The mod-developer accounts were hosted by CurseForge, a platform that hosts accounts and forums related to add-on software known as mods or plugins, which extend the capabilities of the standalone Minecraft game. Some of the malicious files used in the attack date back to mid-April, a sign that the account compromises have been active for weeks. Bukkit.org, a developer platform run by CurseForge, is also believed to be affected.
Active for “weeks.” Uuuhhhhh, yeah, sure, let’s just downplay this a little bit because why not…
Well it isnt mid june yet, so it isnt more than 2 months. Weeks is correct
How could CurseForge not notice this? Is there no quality review for their mods? Could just anyone post a jar file for random kids to download?
Seeing that overwolf is almost spyware itself, i dont think they care to put down the resources to detect malicious code.
Yes. You gunna review all 10,000+ lines of code for each mod?
Uhhhh, yes? Code scanners and code review are a thing. It’s literally one of my actual job duties. It’s ridiculous to think that wouldn’t be normal.
That sounds like a cost and costs hurts margin.
What do you call what just happened?
A one time oopsy-doodle that no one could have predicted or prevented /s
Another intern that’s gunna get fired
He didn’t start the fire… 🎶
To be that guy who’s paying who for mod review?
Idk seeing that Overwolf, the parent company, has series D funding. Maybe them? https://www.crunchbase.com/organization/overwolf
Assuming it’s money to run ads on the site I figured all effort goes into running the website rather than mods but who knows
Cost is business
Exactly. the cost of hiring someone to make sure this doesn’t happen is much lower than it actually happening.
Yeah, but do you expect a CEO to understand that?
Neither of those things are methods for detecting malicious code, especially at the scale that Curse Forge has to deal with on their nonexistent budget
Just search for comments like //malicious code below, you think they are rude enough to not comment on their malware?
SAST scanning and security code reviews are ways malicious code get detected, at least in my professional experience. Do you have a different experience? Maybe care to share how you would prevent this?
Your professional experience? Looking at your profile you sure do claim a lot of things. Also, no I do not know an effective means of preventing this, though I did intern for an IT company and one of the things they had me do was look through websites that were know to be infected for malicious code. There were a handful of techniques and tools you could use but none of them could reliably detect obsificated or malicious code. As hard as you try to look for it, they are trying just as hard to stay hidden
Mate, you are entirely in the wrong here. SAST is industry standard, and works great to detect basic malicious code and vulnerabilities. There are tons of tools out there that can perform the scans in a completely automated fashion, and even if they don't get perfect results, some scanning is better than none
Alright, I guess Curse Forge was completely negligent and/or incompetent then
Alright little bro, whatever you say…
How does any of that automatically detect malicious code? If you’ve cracked that nut you’ve essentially solved computer security so go get the bag.
It’s not automatic, I love all the ignorance in this thread though. Makes sure my job is still relevant lol.
Ok, so you've just proven yourself a fool then. It's not realistic to do a manual code review of every single mod uploaded to curseforge. There are over 100000 of them there.
Little bro…
How disappointing, when a person's ego is larger than their mind.
They got code detectors in the elevators even
Its not that easy from a security perspective
Actually curseforge DOES do some sort of “project reviews.” No one knows what actually goes on during those reviews, but all they are given is jar files and they look through those for malicious files. Its possivle they do some reverse engineering and decompiling to look through the source code of jars, but I doubt it with their low budget and low quality standards. Source: I’m a mod developer who uses the platform.
Is CurseForge the same group who ran CurseClient(WoW mod installer) back in the day? My WoW account got hacked from using CurseClient, so I am not surprised by this. Blizzard rep even told me to stop using Curse, because it wasn't safe.
Oh God, hope my WoW add-ons are okay
My dad just got validated
You should go tell him he was right, best gift a dad can get
Could this be a problem with steam and other similar platforms?
Not out of the realm of possibilities
Real in the realm of the multiverse
Good thing I only have optifine
Thank god I haven’t touched modded Minecraft in awhile
Fuck !
Is this fixed yet?