The new "Fractureiser" malware, capable of stealing information from Minecraft players' computers, is actively spreading through user modifications on the Bukkit and CurseForge platforms.
Hackers hacked into several accounts on these platforms and replaced popular mods and plugins with malicious code. Among the affected modifications, those listed below are definitely present, but there may be even more.
The malware embedded in the modification is capable of stealing cookies, account credentials, cryptocurrency wallet addresses, and other sensitive information. In addition, it can register itself in Windows autorun, as well as self-propagate to other ".jar" files in the victim's file system, infecting other user mods in order to repeat the infection chain if the gamer identifies and removes the original malware.
Players who have downloaded mods or plugins from CurseForge or Bukkit within the past three weeks are at risk, but the full extent of the infection has yet to be assessed.
If you think that you may have been one of the victims of this malware, you can quickly check this. Just go to the "%LOCALAPPDATA%" directory and look for the "Microsoft Edge" folder there. If it is not found at the specified address, then most likely your system is not infected. If such a folder is present, and it contains the “libWebGL64.jar” or “lib.jar” file, your computer has most likely been compromised.
In case of infection, it is recommended to completely remove Minecraft from the computer, carefully scan the system with reliable anti-virus software, not forgetting to check extra entries in Windows startup, task scheduler and system registry.
As soon as you are sure that the computer is clean, you can reinstall the game, but for now, you should refrain from using plugins with CurseForge, Bukkit and other modifications. At least until official statements that the sites are completely cleared of malicious code.
For more technical information about Fractureiser, including how the malware works, how it spreads on the infected system, and the registry paths where the malware can leave files for re-infection, see the researchers' comprehensive report on GitHub