Hackers were seen, once again, using Minecraft to distribute infostealers among the gaming community, capable of hijacking cryptocurrency transactions, stealing Discord authentication tokens, as well as cookies and login data saved in browsers.
According to cybersecurity researchers at Bitdefender, unknown hackers managed to compromise several developer accounts on CurseForge and Bukkit. These are modding communities where Minecraft fans meet to build and share various mods and plugins for the popular sandbox game.
The mods and plugins found on those accounts were then infected with the abovementioned infostealing malware. Given that they were subsequently added to different modpacks, their downloads are being counted in the millions, the researchers are saying.
The analysts claim that the earliest signs of the malware were detected in April 24, 2023. This version lacked many of the features it now has, suggesting that the attackers are actively developing the malware.
At the moment, the attackers are targeting mostly Linux and Windows endpoints, with the majority of victims being located in the United States. The researchers are also saying that the infostealer has a unique feature that targets modders and developers, exclusively.
In the later stages of infection, the malware will go for Windows Sandbox instances, which the mods usually use for testing. It will try to constantly infect the clipboard, in an attempt to infect the host.
“This behavior is isolated to Windows Sandbox, as it is the only virtualization environment that allows alteration of the host clipboard contents when the virtual machine is running in the background,” the researchers said.
So far, “dozens” of mods and plugins were found to be compromised with this malware, the report concludes. The full list of the affected plugins can be found on this link.
Minecraft is an immensely popular sandbox game, with currently more than 140 million active players.