Think it would've been helpful to show the mod's icon, and maybe the crash context mod, but I also understand if you're unable to find it since the mods are already taken down. Also would've been nice to know what the mod actually did. The idea being people affected may be more likely to realize they're affected if they see a familiar mod icon or know what it did. I have a program called "WindowedBorderless" but it's not a Minecraft mod, but a standalone .exe that helps me resize certain games' windows and such and feel this may have gotten me worried for nother. xD
I personally don't think it's anywhere near as bad as what happened with Curseforge, with my understanding Curseforge initially refused to take down infected reuploads of open source mods until there was massive backlash. Modrinth has taken action essentially right as it was discovered and reported.
idk if the reuploads hqd malware or not (only malware on cf i heard was the fracturizer thing) but reuploads of open source mods would be legally fine. is it disrespectful to the original creator? maybe? but then don’t have your mod use an open source license and then complain when other do stuff the license allows
Bottom line... Modrinth was quick to spot this and be transparent about it, much more so than curseforge faced a similar situation. Only ~370 downloads before it was disclosed. Yet the clickbait thumbnail is what people see. They dont watch the video or listen to anything. Modrinth handled this in the best way possible, but farming views is more important than conveying that.
I was unlucky myself and downloaded the mod. Luckily it was an older version where it only stole PC info. So I'm happy to have come out of it okay. I am very happy that Modrinth has been so transparent to inform us quickly!
If you're still looking for an alternative there's a great program I use which can work with any game called Borderless Gaming. It requires a small amount of setup, but nothing too challenging. I'd recommend it.
I'm not tech-savvy, but stick to popular mods if you don't want to get infected. Hackers won't create big mods to steal personal info, and the maintainer of the big mods would probably read every line of code submitted because their reputation and passion are on the line.
@@basic6735 the face behind the recent xz linux backdoor. they used social engineering to get trusted access by making lots of genuine contributions, and then inserted malware. Luckily it was caught early. they were also likely state sponsored, but the tactics could be used by anyone to exploit an over burdened maintainer
Thank you so much!! This was so helpful!! I did in fact download this by accident as a play a sever called Hoplite and as a custom server they provided a mod pack that did include this mod. So yes i did delete it but i do not know if the damage is still there. Please tell me more on what I should do? Love the vids!! i would have not know until I watched this vid that it was a malware, so many thanks!!
Fun fact: the mod named "Xenon" which is a fork of embeddium already has a borderless mode built into it. I know it's only for forge tho but still worth mentioning if anyone wants to just avoid getting borderless mods in the first place.
Perhaps there is a way to make Modrinth safer: Promote FOSS mods, demote proprietary mods, and give FOSS mods having reproducible builds a seperate badge. Reproducible builds with FOSS mods is one of the ways to ensure nothing else gets mixed in the final product built with the source code at hand. Or in layman's terms, malicious intention will have to be public.
Isn't that the purpose of windows 11 using tpm and pluton? Data scrub is useless if the data is encrypted. VBS virtualizes apps in their own sandbox to prevent say, a malicious process from accessing files? At least that's what I thought these systems were for. To make malware less threatening and easily removable.
In ur opinion Which is the BEST launcher to mod Minecraft? I’m new to Minecraft and mods in the whole game so downloading and adding files manually feels a bit risky for me.
I think they should just make an algorithm that checks for unregularities in the code and reports them to a real moderator to make sure it doest just randomly ban mods btw what shader where you using in the footage behind ?
Actually Modrinth performs antivirus checks on each file you upload to the platform, but... if you want to bypass an antivirus, and you know how to, you will bypass it.
@@Cygnus_MC from the Modrinth announcements channel & «We were scanning projects all day yesterday. *We can confirm that all projects created on Modrinth since it's beginning almost 3 years ago have been scanned and are not affected by the "fractureriser virus", and therefore are safe from the recent malware outbreak.* Modrinth was not affected by this attack. ... We will be resuming file moderation for all project types. New files (as before) will be allowed on the site. All new content will still be scanned for the virus before it is approved.»
So hey, I just got started with modded Minecraft, and there are some mods I want to download that aren't available on Modrinth so O have to use Curseforge. What I want to know is, how do I know if a curseforge mod is safe? (Y'know given the whole fracturizer fiasco from a year ago)
Just going to drop this comment now, haven't finished the video yet so apologies if it comes up at all. For anyone looking to make any game, not just Minecraft, play in a borderless fullscreen mode there's a great application I use for the Bedrock edition of the game called Borderless Gaming. It takes a small amount of effort to set up, but it works very well and you can use it if you were affected by this mod containing malware.
How about a tutorial video Lunar? I enjoy Redstone tutorials and I also appreciate your effort in research about mods. My favorite mod of all time is the Mekanism mods by Brady.
@@Cygnus_MC Speaking of MODS, what mods do you like best? As I mentioned in on of your other videos, I absolutely love MEKANISM by Brady. I also like the JEI mods and the JounreyMap.
Well I think that working on this algorithm is pretty much the best thing they can do to prevent another situation like that. Even if it wouldn't have full effectiveness. (I mean that isn't even possible without ACTUAL AI proficient in Java. But that's is going wey beyond just algorithm.)
@@Cygnus_MC The thumbnail makes modrinth look like it's to blame, and can't be trusted. The start of the video also doesn't really do modrinth great in my opinion. Modrinth resolved it very quickly and let people know really fast about the issues that happened. I know you gotta do your usual clickbait or something to work on RU-vid, but implying modrinth is unsafe is just wrong If you think modrinth should have done a better job at moderating it, think about the hundreds of projects the content moderators need to go through every day, and that there are only two of them. Sure, they could have automated checks, but it's kind of difficult to do with jar files. People on modrinth discord also do decompile and check when someone comes and says "X is a virus!", the community tries to help them do their job
@@blrryface This video was intented to say "hey be carefull what you download", as modrinth at the time didnt have any new measures in place to prevent malware like this as i discussed later in the video. Now i did mention they are improving this, and that curseforge has the same issue, but that doesnt obsolve them from critisism. If u want a more positive look into modrinth, i suggest watching the video i interviewed them.
@@blrryface No ur not stupid, ur right to be critical! More people should be. Dont get me wrong i love modrinth, and i always use it above curse, but that doesnt mean its perfect u get me?
I'm really surprised they don't have a built in sandbox system on their backend for checks like this. I'm even more surprised that people STILL don't scan the shit they download before installing or running. This was preventable on so many levels, both on Modrinths end as well as the end user's.
It's actually quite difficult to do sandbox testing on software. It just spits out a bunch of things the software is doing, and whether that's malicious behavior or not is quite tricky to determine especially in an automated toolchain. This becomes even harder when malware includes detections for VMs or lays dormant until a certain date. On the users end it's no different it's actually quite common for malware scanners to not detect a custom malware strain, they are nowhere near as foolproof as many people think. Typically Windows Defender should scream when it detects there is malware, however unless the malware is already known most scanners are just as defenseless.
@@Cygnus_MC I checked after I made the reaction and the blog also mentioned Firefox. At the time of the discord message it didn't mention any browser examples like Firefox. And it looks like the discord message is deleted now. Probably at the time of the video making modrinth wasn't clear about if it included firefox based browsers or not.
Linux isn't immune from malware, especially in this context since Java malware can execute on any computer with java installed (which people playing Minecraft have it installed). Sometimes they do target specific operating systems but Java can execute on any OS, and can be made to infect all platforms.
Eh most of the time it doesn’t work right on Linux even if it does technically ‘run’ because people who make viruses often don’t put in the effort to make it cross platform and build in security measure are still resistant
For example for the other fracturizer malware that was technically cross platform. On Linux, [fractureiser] tries placing systemd unit files in /etc/systemd/system or ~/.config/systemd/user. The unit file it places in the user folder never works, because it tries using multi-user.target, which doesn't exist for user units. Oh yeah and it needs to be run as root.
This is not even to mention many people run Minecraft and its launchers on Linux in a self contained Flatpak that would never even be able to write the file in first place.
Funny thing is curseforge has these cases much more they had a case qhere it had over 370 downloads before spotting it then taking it down 3 weeks later instead of immediatley
Fml. I JUST installed modrinth a month ago. So much for "dedicated to vetting projects to protect users". I thought the whole reason they barely had any mods was that each one was being vetted.
I'm going to have a controversial take here, there is a solution to check every jar file and not have a huge team that has to deal with everything for hours, you could idk have an AI do that, and this is why my take is controversial because everyone goes "boo AI bad" and yes for what we use it rn it's bad but imagne we run an AI that just has to glace through the code of jar files and determine if it's malware or not, and if it determines: yep malware, then we have a human also test it and say "yep this is malware" or go "no, this is false positive", could be a pretty simple tool to help unload on the small team of people that have to check every jar uploaded, and now also supposedly check every update because malware exploitation otherwise it's the trust system (which now having been exploited is exposed), or a large team to check every jar and update which also doesn't work either way a small issue sure, but can snowball into a big issue which is why you addressed it
Yeah, that’s every company right now working on the AI defense system for Malware and viruses, but unfortunately, this will take some time for the AI to learn correctly. not only that, but they’re also trying to make their sandbox emulation for the test so the AI can test the mods to verify if they are safe or not this also will take some time to figure out how to make it,
Malware detection using AI is the dream and main project of most if not all antivirus. But it’s not as simple as it sounds. Things like ChatGPT or so are good at code (actually no they’re bad but that’s an entire different topic), but they use millions of lines of code to do so (Hello GitHub) And while there is malware databases, there is just so many ways to create a malware and hide its purpose in plain sight using legitimates methods than AIs are having a very bad time with static code reviews. And because it’s also legitimate to stop your code from being analyzed that way, a pirate can use anti-reverse engineering strategies and still seem legitimate… And dynamic analysis is … well detectable by the software, so sometimes the malware start by reviewing the environment to see if it’s in a testing environnement…
@@sniper201minecr yeah it will take time you are right, but atleast it seems like my idea is not as farfetched as I initially thought, speed also depends on the size of the company so modrinth may take ages (assuming they take the plunger) and then comes the counters, it's an endless battle like the immune system vs viruses and bacterias
There is also a issue with AI in malware defense since you can train AI to defeat AI. The cat and mouse race is not over by applying AI. This is basically what we already have with tools detecting AI images or texts and generative AI becoming better at outsmarting those tools as well. The data to feed the model is quite tricky as well, for one getting training data is not that easy especially since this should have a focus on jar mods (which is not that common in the wild) the performance of the model will be hugely impacted by the training data. What to data points the AI should look out for is similarly a big question and part of the research. Sandboxes have the drawback that detection methods exist and if the malware lays dormant inside a Sandbox it won't leave any malicious traces, similarly looking trough the entire bytecode is quite a noisy process and additionally it may have blind spots especially with inclusion of code written in other languages.
This is one of more than a few reasons (and the #1 reason) why I don't do mods. Other reasons include: * Mod/Loader incompatibilities * People growing too reliant on certain features to where they won't update until the mod updates or they "update" the mod themselves, and features that give a slight advantage over vanilla players using equivalent features (i.e. most minimap mods' "Last Death Point" versus the recovery compass and F3 screenshotting) * Mod/Mod incompatibilities * Server rules regarding certain client-side mods * "Wrong download link" if you don't have an adblocker, which will be less powerful with the next Chromium Manifest (Firefox ftw) * Mod dependencies * No Modding API * Bedrock Marketplace stealing hard work for a quick buck Any other reasons not to do mods that you can come up with?
Modrinth IS kind of lacking in mods, tbf. Curseforge still has more content. However, the idea behind that smaller content library was you'd get safer mods that passed greater scrutiny. That clearly wasn't the case.@@amthystxx
@@justapotota4330 thats chicken and egg. The mods exist: the delay in porting them to modrinth's platform is security. Tekkit had oodles of mods on release because they had everything else everyone else had- and barely any vetting.