- Modrinth Blog
- Posts
- Malware Discovery Disclosure: "Windows Borderless" mod
Malware Discovery Disclosure: "Windows Borderless" mod
Threat Analysis and Plan of Action
Jai & Prospector
May 07, 2024
This is a disclosure of a malicious mod discovered to be hosted on the Modrinth platform. It is important to not panic or jump to conclusions, please carefully read the Am I Affected? and Threat Summary sections.
Am I Affected?
If you run Windows and have downloaded a mod called "Windows Borderless" (specific files listed below) between May 4th, 2024 and May 6th, 2024 and have run the game with the mod installed, you are affected.
IMPORTANT NOTE: This mod is called, exactly, "Windows Borderless". There are other mods with similar names on Modrinth, which are NOT malware, such as "Borderless Mining", "Borderless", and "Borderless Mining Reworked".
If you have not downloaded that mod or do not run Windows, there is no reason to believe you are at any risk. We have released a detection tool available here which can scan your mods folder for the malicious files if you wish to make sure your instance does not have the mod. The tool is also open-source.
Download and run the detection tool here!
What do I do if I have used the "Windows Borderless" mod?
First, delete the mod entirely from your computer.
The mod harvested data stored by many Chromium-based projects such as Google Chrome, Discord, Microsoft Edge, and many other browsers such as Opera/Opera GX, Vivaldi, Brave, Firefox and over dozen more. Included in this data may be account tokens, stored passwords, banking information, addresses, and more.
In order to protect yourself, change all of your passwords, and keep an eye out on your bank accounts and credit cards.
Threat Summary
Exposure level: Low, ~372 distinct IPs downloaded affected files. One Discord account is alleged to have been stolen due to this.
Malware severity: Medium (Discord, browser, and system info stealer, but does not self-replicate)
Projects affected:
Name | Project ID | Former URL |
|---|---|---|
Windows Borderless |
|
Files affected:
Name | SHA1 Hash | Version ID | Download count |
|---|---|---|---|
|
|
| 116 |
|
|
| 15 |
|
|
| 68 |
|
|
| 119 |
|
|
| 1 |
None of these files were included in any modpacks on the Modrinth platform, so you are only at risk if you downloaded the mod directly.
Timeline
April 29th, 2:39pm - Project submitted for review as a legitimate mod
The Modrinth project "Windows Borderless" is submitted for review with a single file uploaded that does not contain any malware.
April 30th, 12:15am - Modrinth moderators approve the project
The "Windows Borderless" project is approved with only one file, which contained no malware.
May 2nd, 3:50am - New version containing malware is published
A "Windows Borderless" version containing the file windowedborderless-v0.2 - 1.20.4.jar (mentioned in the table of affected files above) is published. This initial version of the malware did not include any credential or token stealing, but only sent identifying information about a user’s machine to a discord webhook.
May 4th, 4:01pm thru May 6th, 3:46am - More versions are uploaded
Between May 4th, 4:01pm and May 6th, 3:46am, more new versions of the mod containing the malware were uploaded. These versions all contain credential and token stealers.
May 6, 2024 @ 7:21am - A Modrinth user reports the project
A user submits a report against the mod, alleging that their Discord account got compromised after using the mod.
May 6, 2024 @ 10:37am - Modrinth moderators investigate the project
The mod is investigated by Modrinth staff. We decompiled the mod and discovered that the mod contained malicious code. The threat is immediately obvious, so within a few minutes we take down the project, all CDN links related to the project, and all other projects by the same users.
Conclusion
In response to this incident, we are actively developing a shared system to effectively quarantine known malicious mods by creating a web API to allow launchers to check if any of the files a user has downloaded match any of the files in our known malware database, and return up-to-date information about any known malware.
We are also in the process with working with relevant law enforcement agencies to pass along all information we have.
In order to also more proactively increase safety, we're also investigating possible methods of sandboxing or algorithmically detecting malware patterns in Java software. While these are infamously tricky to implement on certain platforms, we hope to do our best in order to ensure the best security for the modding community.