Malware Minecraft Mods on CurseForge named Fractureiser steals your login credentials from browsers in a three step java .jar trojan downloader on both Windows and Linux. Get Crowdsec Intrusion Detection System : www.crowdsec.net/?mtm_campaig... (sponsor)
Buy the best antivirus: thepcsecuritychannel.com/best...
Join the discussion on Discord: discord.tpsc.tech/
Get your business endpoints tested by us: tpsc.tech/
Contact us for business: thepcsecuritychannel.com/contact
As a Minecraft modder, this was a bit of a scare when it happened. I wasn't infected, luckily, but I fear we are going to see copycat viruses. This wasn't the first time malware has been injected into Minecraft mods, but usually it was because of silly fights between mod authors. It would be trivially easy for this to happen again. CurseForge claims they review all files, but they don't. At most, they check mod descriptions. There's also the problem that mc mods, which are unsigned, are really just arbitrary code you execute on your machine. It's what makes them so powerful compared to a lot of other game mods, but obviously it's a huge risk.
by that description I’m surprised there aren’t more of these cases
Just get Kaspersky
@@MaksKCS having a good AV sadly isn’t the one that does it all solution to every malware problem…
@@MaksKCS 1.- That sht is russian made; 2.- Antivirus are only preventive, if you are already infected it won't save you; 3.- If you are careless, no antivirus will ever save you.
Wait for Mojang/Microsoft to react, because they will. Log4j response time. There's no way they'll outright abolish modding, but they could step in to regulate it, consolidating modding to their own ecosystem (think of the Marketplace potential for Microsoft). Ideally the modding community as a whole should come together in cooperation to find solutions, but given the history of MC politics, that could be a lot to ask. And the fact forge tried to get code signing introduced 10 years ago but no one adopted it. Something needs to happen, coz it's only a matter of time before more malware, potentially something worse and Microsoft isn't likely to let something like this jeopardize their image.
This problem has been fixed by the major platforms like CurseForge and Modrinth, and now they scan the mods for it which is great
Yup. But it could easily happen again with different malware.
@@pcsecuritychannel Supply Chain Attacks are extremely lethal, the potential mass-damage it can cause is terrifying.
Honestly, that's not quite cutting it. I stumbled upon this community where they actually make you upload your source code to a moderator just to make sure it's safe to use. If it doesn't pass their inspection, they won't give it the green light.
Modrinth always scanned uploaded files with antivirus. It's not something that has changed in this platform
Are you sure ?
never in a thousand years would I expect creating Minecraft content with mods could be a battle between life and death especially how easily people to miss these hidden threat
i mean if your OS or something important is ''destroyed'' you could do a factory restart and if you are unable to do that i guess go to a techie to open it up for you. So it's not that bad.... At worst you need to reinstall windows or... go to a techie.
This has been some of my favorite security related content lately, I appreciate how quick you are getting some of these videos out while also making sure you have all the information available. Keep up the good content!
Actually had to decompile a plugin and patch it once due to a rogue developer on the team installing a backdoor for admin permissions. I found and purged it, so the plugin was effectively what originally was requested.
Well aren't you smart
What plugin was it?
cool story bro?
@@nv_takeout we may never know
@@officialromanhours from how he wrote it i guess it is a plugin he requested from a developer on some forum.
Been looking forward to you covering this, thank you
Keep on informing and making people more safe and black hats/virus coders/script kiddies and so on less effective and less of a threat! (this contains a lot of tech-info, it's up to us to make it more understandeable....TBH, I don't get quite a bit of it myself, can't even imagine how this sounds to "80 y/o grandma" or "15 y/o TikToker"...)
bruh either way YOu will be hacked
@@oneyoulike7596 Don't close your doors because people could still lock-pick the lock, right? ;-)
@@oneyoulike7596 Yeah, I'm sure I'm the target of every hacker in the world...much like every irrelevant idiot is...did you make sure you aren't hacked, speaking of...?
Bro donated 100 sехes
@@oneyoulike7596 u too bro
hey, what action do you suggest to check if any installed instances of modded Minecraft are compromised?
Do you think this would still being detected after some advanced obfuscation of the bytecode? Can you provide the sample to investigate?
Its very important to note that there is a difference between /MicrosoftEdge/ and /Microsoft Edge/ The one with the space is malware, the one without is from edge. (its also possible there is no /MicrosoftEdge/ folder, but that isnt necesarially bad)
The interesting part about this malware was that it would inject itself into existing jar files on your PC. So as soon as a mod developer got the malware it would spread by injecting a version of itself into all the jar files the developer would develop or use. And after the developer would upload his mod to a modding site it could spread further infecting more mod developers that would also download or test other mods. This is why the malware was found on multiple mods on curseforge uploaded by multiple different People. They where all infected by the malware that then spread further to other mods. The main site for the payload is now down. But there might still be hundreds or thousands of infected jar files out there. That execute the first stages of the malware whenever someone execute those jar files in any way.
Dude that shit's like a biological virus!
Damn, this is why I use malware bytes premium, also ghostery and ublock, I also use a vm (virtual machine) to test anything that is suspicious.
@@nosepowder69fyi malwarebytes said that they will not add signatures for any java-based malware and only ever try to detect it with behaviour analysis
You say that it's also for Linux, but it looks to be so far only for Linux distro's that are using SystemD, of which I am not. In the section where the Malware attempts to drop files, I legit don't have those directories. The advantages of using older style software that still gets maintained is very much alive.
It can't actually affect machines using SystemD, unless you're dumb enough to run your Minecraft launcher as root. The commands for adding the systemd services don't actually work.
@@troffdiga1067 LOL, that's pretty funny. Yeah it seems to take some serious levels of stupidity to allow privilege escalation. Also seems to be some stupidity on the malware authors themselves for not knowing how Linux works in that regard, seems they just tried to apply Windows thinking when writing it for Linux.
Looking at the thumbnail I thought this was going to be about the Overwolf app that Cursefoge has a plugin for, I never did get a good feeling from that app c:
Lmao. I installed it once and all the behaviours it has, that sht is spyware dude, it has no need to be always running.
Big ups for your videos, thank you!
Yes I remember that my old PC was infected 3 times because I downloaded always from 9minecraft. I was confused everytime what I did wrong but now I know it thanks!
thank you for finding this PCSC I just got the new update for minecraft and it is lagging horribly because it not that good, and I was going to download mods so it would run smoother, and then I saw your video and realized I should wait and not get malware. So Thank You
Curseforge said 3 or 4 days ago that its fixed already
This actually happened about a week ago
I remember hearing in 2018 that png files of minecraft skins from the official minecraft website. But if you opened it, it would reformat the entire hard drive, including backups, and if your AV failed to catch it, the only way to get rid of it was reinstalling windows completely.
Same, I remember that too.
a '.png' file can't do that, it must have been a double extension like the recent ".pdf.exe"
@@Splarkszter Well.. you are right but there are ways to trick windows into running a png file but its a exe file... without changing the extension file name... so it would be a nice .png file but when you open it does a payload and you see the png image but oh no, you got infected without knowing it... well i don't know if its still possible to trick the windows but used to work on windows xp
@@MsTatakai right to left Unicode
@@Stripedspot the regular way to download it by the game will result in it being renamed back to a random string of characters without even .png at the end
This is why when downloading minecraft mods I usually check if its available in Modrinth first before Curseforge, but if curseforge is the next available thing then I will double check the mod if its the one I am looking for and not a copycat
My congratulations to leo for doing this vid. To be honest when this idea popped up I disliked it, and you ended up making a very interesting video. Speaking about how to be secure against this type of malware and how to check if you think you are compromised. 👏
thank you so much for covering this ive been quite concerned
Damn. This is crazy. We gotta be careful when downloading mods
not about he fractureiser malware tho, its been taken down for good.
Very informative, thank you
Finally you covered this!
thanks for the news. i was not aware of this until i saw ur vid
This issue got pushed on CurseForge by the Iris/Sodium team due to them leaving the platform, leaving opportunities for hackers to upload fake Iris/Sodium mods, fooling people who were uninformed. I have switched to Modrinth since then
Some of Modrinths mods are still a virus tho
yes but the sodium/iris/mod menu mods are so common that it's particularly easy to fall for such a trap on curseforge. The originals are still on modrinth at the top so they are easy to find
@@mr_alex1154 no
At the time of Fractureiser I was working on a java malware scanner, it was actually pretty fun to do a full analysis of fractureiser to see what it was doing. And for the cracked plugins part of Minecraft there is currently at the time of this comment a wave of malware there like an unnamed virus that has lots of classes for I believe injecting other jars and spreading, it has a class called "Franslator" so I just decided to call it that lol
I have a pc running windows 10. I visited some websites and downloaded pdf txt for college. I received a warning before accessing the sites but I didn’t think anything would happen. Now it flashes small black screens when it’s turned on when I have a window/page open, docx, excel, or nothing, just idled. Could you explain in a future video if it might be something to be concerned about and if there might be a solution? Thank you and keep making videos, even if I’m not tech savvy.
Plain pdf files can't do those things, chech the file and make sure it isnt named ".pdf.exe" or similars. Otherwise sounds like your monitor is dying.
I have a question, I haven't opened up my cursedforge launcher in like 1 or 2 months and haven't run anything from it, I haven't downloading any mods at all. am I still at risk?
Actually its microsoft SPACE edge, so it creates a new "microsoft edge" directory, if you have a directory WITHOUT the space, youre fine, if you have it WITH, then youre not
So, with the rise of so many cookiestealers these days, is there a method to protect one's cookies from getting hijacked in the event that all other security is breached and the malware is already running on their system? Is there any way to restrict access to random software actually reaching the session tokens at all?
Unfortunaly windows does not provide any user-friendly option of isolating one program's work files from other programs.
But isnt there any way/method/program etc. that can prevent infostealer from accesing youre chroime folder and passwords/session tokens? There must be a way
Chrome could encrypt your stored passwords, but they don't for convenience.
@@superslimanoniem4712 they should do it for session token/cookies also.
Can you do a video on the sample that hacked the OMV office in Baton Rouge?
I'm so glad you're talking about this. Thank you for letting everyone informed of these outbreaks so they can stay safe
Hi there PCSC the address the virus sits in is not the real Microsoft edge it is a false file path meaning that the virus made that file. You can tell as the directory has “Microsoft edge” the real Microsoft edge doesn’t have that file name.
how long ago did this become a thing? i havent modded in over 6 months would i still be affected?
I remember there was this person that only trusted mods from curseforge which I found a little odd; but I guess since (as far as I know) it's the largest modding site for minecraft, that make people trust it. Just found it a bit odd since it's still a 3rd party. And I brought it up because this video reminded me.
@ThePcSecurityChannel I need help I use the virus removers but the virus keeps coming back
if i understand correctly, only through systemd? so Void users and other openrc users are prolly not affected
Yes a video about this 😮
Hi there, 4:24 how can I learn to read that stuff myself?
I recently got malware from trying to download a minecraft mod. It was a similar kind to this one, but not the same one. I'd generally pride myself on being tech savvy, I've modded other games a ton in the past, and I haven't had any malware in the past several years, yet all of that meant nothing as I downloaded this one seemingly legit file. It came from a seemingly legit website with a secure https url, I scanned the file before running it and no malware was detected, so should be safe right? Well, as soon as it ran it then closed itself and opened up a blank redirect in my browser before closing *all* chrome windows a second later. Immediately seeing how suspicious that was, I disconnected from the internet and started running virus scans with a couple different anti-viruses, both detected nothing. Reassured, but not fully convinced, I shut down my PC without reconnecting to the internet under the assumption that shutting the computer down should stop anything from running. The next day, I ran another couple malware scans and once again got nothing, so I went back to using my computer as normal. A few days later, I get a notification from windows defender - which previously failed to detect anything - saying that it found and quaranteened something, and recommending I reset my chrome settings. After resetting, I finally noticed something suspicious with my browser; it had a tiny little message in settings saying that it was being controlled by an administrator - as if it were a work or school computer. Looking into it further, it turns out I had a browser hijacker which had given them the ability to alter my browser settings and potentially see what I'm doing. The hijacker had installed an extension which, due to the whole "controlled by your organisation" thing, I couldn't disable or uninstall. After multiple reinstalls of chrome, I had to go into my windows registry and clear some malicious entries from it, use the command prompt to delete and reinstall a system file, and go into system 32 and delete specific files (normally very risky, but the only way to get rid of it in this case). The worst part is, the malware didn't make any changes for a few days, and it was only immediately after changes were made that windows detected it and I was able to deal with it. But in that time i have no idea what information they got. None of my accounts have been accessed, no money has left my bank account, and I haven't been alterted to any suspicious actions, but it's hard for me to believe they had access to my main browser for days and got nothing.
I'm sorry to hear you've experienced that. If you're okay with answering, what was the mod's name and what website was it downloaded from? I'd like to personally research it.
HTTPS: is not secure it just means that the data is encrypted websites that are designed to do exactly what was described here have been around a long time, I would recommend if you haven't already removing the extension, resetting all of your browser settings, and then doing a reinstall of windows. Your accounts may not have been accessed but may have still been compromised if you have saved any passwords to your browsers ( they are saved in a file on your system with a set location ) malware can actually access this very easily and steal all of your passwords, usernames, etc. Whatever you've saved on your browser.
Why not using JD-Gui to browse the jar file ?
This is why I hate modding in mc, not only that its kinda difficult unlike gmod and tmodloader, stuff like this also happen frequently.
You should do a video on setting up a secure vm
.PDF hi is it safe to open a pdf on an iPhone? I have someone attempting send pdfs to my email oddly not much other mail there so it was easy to see there trying to exploit me and is an actual pdf
I just recently got multiple malwares from one Minecraft mod jar file, and it got so far in the process before i found out about it, it wasn't fixable. i had to completely wipe my pc and reinstall windows.. thankfully my best friend was here at the time to help me through that.
Wouldn't have happened if you used a proper anti virus.
@@nosepowder69 yeah, i only got one after it was too late. learnt my lesson 😅
@@nosepowder69 antiviruses only startd to detect this malware after the people detecting it made it public, contacted curse (relatively big company), got a journalist to write about it, etc
0:30 I’d just like to interject for a moment. What you’re refering to as Linux, is in fact, GNU/Linux, or as I’ve recently taken to calling it, GNU plus Linux. Linux is not an operating system unto itself, but rather another free component of a fully functioning GNU system made useful by the GNU corelibs, shell utilities and vital system components comprising a full OS as defined by POSIX. Many computer users run a modified version of the GNU system every day, without realizing it. Through a peculiar turn of events, the version of GNU which is widely used today is often called Linux, and many of its users are not aware that it is basically the GNU system, developed by the GNU Project. There really is a Linux, and these people are using it, but it is just a part of the system they use. Linux is the kernel: the program in the system that allocates the machine’s resources to the other programs that you run. The kernel is an essential part of an operating system, but useless by itself; it can only function in the context of a complete operating system. Linux is normally used in combination with the GNU operating system: the whole system is basically GNU with Linux added, or GNU/Linux. All the so-called Linux distributions are really distributions of GNU/Linux!
Im trying really hard to not send nerd emoji rn
🤡
Lol this Stallman pasta from decade ago?
I have a question: can I use virustotal to check those infected mods files?
Ive used Curse since it was invented and Ive never once gotten a virus or malware from any downloads. The old Curse, you would be more likely to misclick one of the fake ads and get a virus rather than getting one from the actual file DL, but they scan files these days.
DEVS! Thats why you should start modding in JavaScript or lua with high level API. When you have one trusted Java mod as core and other are just 200 additions that differ from pack to pack (Im not taking cube js into account as it sucks currently, saying as TypeScript senior). We actually even wanted to start non profit project like CurseForge but with our game engine right in the browser that provides official mod API instead of original minecraft. Just imagine that some ftb pack could be fully loaded (not only downloaded) within 20 seconds and could be optimized to 20mb of initial download size instead of 200-500. But for that project it meant finding people (as we had A LOT of work to do) and we almost had dcma takedown instantly (prismarine was next), but thats a different story…
You gotta use what is available and fast enough. And I doubt Lua/Javascript reach that level with Java
This wouldn't work
Work this virus in chromebook? Or depend in the version are? For example windows.
so if I dont have the Microsoft Edge folder in my local folder, am I safe?
My computer does not have auto run for like a year that means it cant do anything?
When you say it scrapes all the stored passwords in your browser, will it also take any active sessions you are currently logged in at too?
"all stored passwords"
Yes, it took ALL cookies as well, especially those juicy microsoft session cookies to sell your minecraft account access to cheaters. Luckily the fractureiser malware can no longer harm, all domains & servers it contacted to download the real malware parts and send the data to have been taken down.
TOPIC REQUEST: Hallo. Many of us use browser extensions to help with security. For instance, I use scriptblocker, adblocker, bitwarden, and download managers on Firefox. The problem is the warnings I get when installing them; "This extension will access your browser history, change your settings, collect information, etc." Is that a boilerplate warning? is it really happening? how can I find out what it is doing? how can I stop it doing that? also, they really slow down the browser start up and the HD spins like mad. I think Many of your subscribers would be very interested in a video on the topic. Thank you for a very informative and easy to understand yt channel. -Molly
Hi Molly, In the case of extensions that block things it is likely true, they can't block a site without knowing what site it is, which means they need to know what sites you are visiting ie. browsing history. It does not mean that they are selling that data or making ill use of it. Just the simplest way to protect you. Of course there are complex technical ways to anonymize that data and you will have to research the specific extension to know how it is implemented. However, if an extension is causing your computer to overload it is likely not just that and you may have a malware extension, hard to say though, unless you know for sure it is the extension that's doing it and not Windows update for example, which is often more likely.
I never allow public network, only private when asked. Is it bad or good?
The virus doesn't care what you choose when windows firewall on default settings asks you. Because outgoing connections are always allowed by default.
i decided to play minecraft again after like 7 months and guess i was at the wrong time to do it
the moment this all went down was a few hours after i downloaded some new mods. no one knew yet which mods were affected and i was SCRAMBLING to scan them and block shit. incredibly lucky none of the ones i downloaded were affected. i ALMOST downloaded When Dungeons Arise but i decided at the last second not to hit download bc i just wasnt feeling it anymore. saved my fucking privacy. havent played any minecraft since the news broke. too nervous that even after scouring every option and getting cleared that SOMETHING could be wrong.
It's impressive but actually logical that such a popular game like Minecraft and its open mod system become a target. It need a proper plateforme to share mods instead of manual downloading.
In this case, the danger is /because/ the central platform itself was compromised. Many users have the CurseForge client, which handles all the complicated bits that common users might be less capable of doing themselves, and serves files from its own server. It's very convenient for making modpacks you can share with friends, but obviously it also means that if the devs of CurseForge aren't doing their part to protect end users, they become open to these kinds of attacks all the same.
@@Xereniak Curseforge scans the mods
@@blackpulsarproductionofficial They say they do, and that's probably true. However, if you're a watcher of this channel you'd know that automated virus scanning can only do so much. In this case their built in security failed, and the uploads became compromised.
Minecraft has been a target since at least 10 years by now. Earlier in the days it was more phishing websites asking for email&password combined with bruteforce attempts ("combolists"). Nowadays, due to microsft accounts being used, the focus shifted to trick users into pressing yes on ms-oauth as minecraft access is part of basic xbox profile access or using malware - generic all-kind info-stealer malware has evolved to specifically target minecraft as well.
@@Xereniak No, CurseForge was not compromised, jsut one popular mod creator account.
but who is gonna open a minecraft mod instead of adding it to the mods folder
Would it be wise to avoid downloading any Minecraft mods at moment?
The issue have been solved You can download mods but you should scan them before running them
i got an older version of some of these mods and i dont see them fake folders
If someone didn't have Microsoft Edge folder on Windows when this happened.. would the virus create that folder or go somewhere else?
The "Microsoft Edge" folder of the virus is not the one the actual edge uses at all. Edge uses the "MicrosoftEdge" folder - without space.
What makes browser password managers less secure than other password managers?
With browser password manager info stealer can dump the memory of the browser and steal cleartext passwords while with local password manager like KeePass it can only steal your database file but it's encrypted with a strong password so it's useless for them. If you use a online password manager like bitwarden the only way to comprosite it is to steal you password manager account but it's hard if you pay attention and use 2FA(And yes, password manager provider cloud be breached but it's hard and they still would only have encrypted databases).
@@fedrix8895 if you are using the password manager, while the info-stealer is running in the background. The password manager has to decrypt the password at some point and store it in memory. so can't the info-stealer steal that?
@@wayne1512 Decrypted data lives on RAM, you would need to use the passwords for them to be stolen.
@@wayne1512 I think that they could but there are a lot of different password manager that uses different protection methods so it's less likely to happen(And if you use cloud ones you're good).
I'm so glad i got bored of minecraft 3 months ago and haven't oppenned it since. Scary thinking my linux machine can be infected.
What if i download with the curse forge app?
Fact the folder of microsot edge dont have spaces if it have spaces than it is virus and you need to delete it immediately
does an antivirus like popular ones can find it?
Now i am scared to download ANY mod now... Damn i do love being paranoid.. yayyyyyyyyy
With Minecraft requiring a Microsoft account recently I link a Microsoft account to it. Question is, does this allow Microsoft to gather more data on me through Minecraft somehow? What if I ran it on Windows? I was going to switch to Linux but I found myself reinstalling Windows temporarily for a few reasons: 1 my wifi & bluetooth drives didn't work. 2 CurseForge launcher for Linux can only run WoW... for some reason. 3 Minecraft Windows 10 Edition can't run on Linux. Problem 3 I could solve with a VM I suppose... Problem 1 is a little annoying I might need to buy a new piece of bluetooth hardware.
The requirement for microsoft accounts allows for easy incorporation of microsofts security features. It reduces costs long-term as there's just 1 login system. Lowers the barrier for future game purcharses from microsoft store. Allows them to add minecraft to pc game pass easily. Minecraft account theft "business" has moved on from phishing email+pasword or bruteforcing to malware and session-cookie stealing. Prices per minecraft alt account went up like 5x-10x.
Maybe a bit late, but since you can no longer completely turn off minecraft telemetry (only to a minimum). You would a mod (yeah i know), to disable all data collection
I use linux my self, so I wasn't effected (only if I had run minecraft as root, which is stupid anyways). Also if you use a sandboxing system, that gives any program only the priviliges it needs to function, so the Maleware wouldn't be able to access any data, besides minecraft's anyways. Also I don't know which distro you used, but just look at the arch wiki for sandboxing for more information
Is it yet safe to download minecraft mods?
since when did the mods got infected?
Help I think I got one how do I remove it help
Curseforge has a plug in on their site that can detect the virus. I was wondering if that may have been infected too.
i use an anti-virus called eset internet security, how good is it?
You don’t run a Minecraft mod jar file though you usually just put it in your Minecraft mods folder
Well optifine and fabric both provide an installation jar it does make it more user friendly but yeah most mods wont be run like that i agree
right, but it runs (believing) that you've run the game with that mod installed
The fractureiser malware was programmed to start at the same time when forge or fabric try to load the mc mod, it combined itself with the mod.
Im secure and comfy in my container based linux os.
can you do the steamunlocked adware?
You could use Jadx to decompile jar file to readable java code
Normally yes, and the initial infection of a file is quite small and somewhat readable.The actual malware which the infection downloads is obfuscated too much for novice java reversers to handle.
will it be able to steal my passwords if i have the master password?
It used to get a Bitcoin Miner through Kronos (hacking client) when it used to be popular
But what about Mac? 0:49
My brothers computer was littered with them. A LOT LOL! All from MC. And that was a decade ago.
Is it in the technic launcher
thank u for saving me dude..
Java should never EVER be ran as root. If you are doing that, you deserve to have your machine trashed.
Please share your clear temp bat file 😅
whats a trusty password manager? thanks!
Why didn't V3 detect?
I never save any passwords or sensitive data in my browser and i highly discourage others from doing it thats basically asking to get hacked.
This malware steals the session cookies of web pages. when you check "remember me" or use a website which still has you logged in when you open the browser next day, saving passwords in your browser or not doesn't make a huge difference. Microsoft is especially vulnerable to this "remember me" session cookie stuff as their system still blindly trusts session cookies even though some log in from the other side of the planet.
Finally tackling the real issues
Minecraft
He does that more often if you did not notice it yet
O ffs, I just downloaded a mod yesterday. I haven't opened it yet, shuld I be fine?
Yes
note: Their linux stuff is broken
curseforge claimed to all files to be safe but im still not downloading anything else
Its really stupid for the makers of this virus to disguise it in Microsoft Edge, i have it debloated, i don't even have edge lmao
This is probably why every time i download a mod my pc tells me this file may harm you pc and it has done that for years
It's that a .jar is an executable file, nothing more
Great video! However, you should use a JAR decompiles to read the code easier! (just saves hassle)
isn't it actually only Hard-coded for Windows and Linux?
Yes Mac users were unharmed, however it has the potential to be updated to start infecting Mac users. The servers for the virus have been offline for awhile, but still be wary as many jar files ( not just minecraft related ones ) can still be infected and should be scanned. If you got infected the best thing to do is a full wipe and restore of windows, and a change of passwords, especially if you were logged into Discord as the program was designed to steal tokens which bypasses 2FA entirely. Changing your discord password generates a new token.
what about mac users?
Fuck it, I'm running Minecraft containerized from now on.
Somehow I wasn’t affected even though I had the packs it’s because I didn’t use them for a year