Sky Villages mod shipped Fracturiser malware
Part of the Fracturiser mod campaign stole player credentials campaign
The CurseForge account associated with the 'Sky Villages' Minecraft mod was compromised. Attackers uploaded a malicious JAR file appearing as a legitimate update for the mod.
Story
Sky Villages was one of the named Fracturiser carrier projects on CurseForge. The attacker did not need to invent a fake package; the trusted project page and maintainer path were enough.
The malicious upload arrived as a JAR update for the Forge/Fabric mod. When loaded by Minecraft, it gave the first Fracturiser stage a clean execution point inside the player's expected mod workflow.
From there, the campaign chain moved outside the game. Public analyses describe multi-stage malware that targeted Windows and Linux hosts and focused on secrets, persistence, and further compromise rather than visible game disruption.
That quietness was the core risk. A player could install or update Sky Villages for ordinary gameplay reasons and only discover the problem later, after the loader had used a normal mod startup path.
This record preserves the project-specific distribution surface. The campaign record explains the shared infrastructure; the artifact here names the CurseForge page players and responders had to check.
Affected Artifacts
Sky Villages [Forge/Fabric]
- Observed
- 2023-05-01 to 2023-06-08
- Compromised Versions
- Unknown
- Fixed
- Not listed
- Hashes
-
- sha256:5584ac1f8b713d2f6310bd3cde425b775402fbc70e56e5e8d774bec15703ca79
Incident Context
- Motive
- Credential Theft
- Attribution
- Group
- Cause
- Compromised Account Credentials
- Transitive
- No
- Actor
- Cybercriminal Gang
External References
- June 2023 - Infected mods detection toolsupport.curseforge.com
- Fracturiser supply chain attack infecting Minecraft modssecurelist.com
Source record: oss/attacks/sky-villages/meta.yaml