Cadey is coffee
<Cadey> Hello! Thank you for visiting my website. You seem to be using an ad-blocker. I understand why you do this, but I'd really appreciate if it you would turn it off for my website. These ads help pay for running the website and are done by Ethical Ads. I do not receive detailed analytics on the ads and from what I understand neither does Ethical Ads. If you don't want to disable your ad blocker, please consider donating on Patreon or sending some extra cash to xeiaso.eth or 0xeA223Ca8968Ca59e0Bc79Ba331c2F6f636A3fB82. It helps fund the website's hosting bills and pay for the expensive technical editor that I use for my longer articles. Thanks and be well!

OVE-20221017-0001: PolyMC appears to be compromised

Read time in minutes: 4

hero image cyberpunk-forest-fire
Image generated by Waifu Diffusion V1.3 -- studio ghibli, cyberpunk, trash can, fire, forest fire, forest, lots of fire

PolyMC is a modpack manager for Minecraft that allows users to manage multiple logical installations of minecraft with their own sets of mods or plugins. Today it seems that the main maintainer of PolyMC has deleted all of the contributors from having access to the GitHub ACLs and has removed the code of conduct as of PolyMC/PolyMC@ccf282593dcdbe189c99b81b8bc90cb203aed3ee. The main maintainer has also been reportedly using charged language and slurs freely as a result of being called out for this.

It is unknown at this time if PolyMC is compromised, but software like this being in the hands of reactionaries is a very sketchy situation. I am monitoring this situation and will give updates when I can.

It is unknown if it is safe to run existing installations of PolyMC, as it reportedly fetches metadata about .jar files to run at runtime from a now presumably untrustworthy service.

If you are a user of PolyMC, it may be best to uninstall it until we can get more information about this emerging situation. I am treating this as a compromise of the upstream because that is the least bad way to describe this. If you are a package maintainer for a distribution that packages PolyMC, use OVE-20221017-0001 as the vulnerability ID for your bug tracker. It may be best to yank or freeze PolyMC until we get more information.

Here are other discussions about this:

Future updates to come.

UPDATE(2022 M10 17 22:35): Minecraft mod launchers work by downloading arbitrary Java bytecode as instructed to by a metadata server. The metadata server that PolyMC uses is in the hands of the threat actor in control of the GitHub organization and as such you should treat any file that the PolyMC launcher downloads as advised by that metadata server as compromised. We do not have evidence of any compromise at this time, but the Minecraft mod ecosystem does not cryptographically sign mods when they are published so we have no way to easily tell.

Some people have advised that users of PolyMC can mitigate this issue by changing the metadata server that the client uses, however I do not feel this is a sufficient fix. I suggest that you should purge the PolyMC launcher from your systems and wait a few days for the dust to settle. No offense to the estranged PolyMC devs that are just trying to create a working solution for users, but there is not enough clarity to really know what is going on.

NixOS and Gentoo have masked the PolyMC package. PolyMC is no longer installable via those distributions. I am told that the Flatpak package is not under the control of the threat actor, but I want to wait and see.

Cadey is coffee
<Cadey> Happy monday, eh?

This article was posted on M10 17 2022. Facts and circumstances may have changed since publication. Please contact me before jumping to conclusions if something seems wrong or unclear.

Series: CVE

Tags: minecraft polymc infosec

The art for Mara was drawn by Selicre.

The art for Cadey was drawn by ArtZora Studios.

Some of the art for Aoi was drawn by @Sandra_Thomas01.