e.g. https://www.curseforge.com/minecraft/mc-mods/crystal-craft
https://www.curseforge.com/minecraft/mc-mods/enchanted-tools
Someone’s investigation (and original reddit thread):
Downloaded a few versions of “mystical beasts”, extracted them, and ran commands like
diff -urN mystical-beasts_Beta_Client_Fabric_1.20.1/ mystical-beasts_Release_Server_Fabric_1.16.5.They came up… completely identical! Curse disallows uploading jars with the same hash but it looks like each one contains some amount of random crap after the zip footer; always an exact number of kilobytes too (
mystical-beasts_Release_Client_Fabric_1.20.1contains exactly 17 kilobytes of garbage data appended to the file,Server_Fabric_1.16.5contains exactly 21kb, etc) What’s also funny is that themods.toml- yes, it’s actually a Forge mod - contained within all the jars i looked at claims to exclusively support 1.19.4.The mod itself is an MCreator mod with assorted random shit. There’s a dimension but nothing in it afaik. It adds
polished_blackstone_brick_walltominecraft:overworld_carver_replaceables. There’s a recipe for crafting iron blocks into rooted dirt. You get an advancement called “Advancemnts” [sic] when you go to a beach. There’s a weird “procedure” (mcreator’s bizarre programming language) but I don’t think anything calls it? It also contains a shitton of ripped assets from minecraft (underassets/examplemod/textures/block/) probably to pad the filesize more.I took a cursory glance with a decompiler and didn’t find anything obviously malicious.
…
Endless Trash, Everywhere, Forever, all powered by AI! AI is the future :)
Thankfully both of the linked mods have been taken down. Have to be vigilant when downloading mods.
Endless Trash, Everywhere, Forever, all powered by AI! AI is the future :)
We love AI, AI is the best!
