More fake DSM's with malicious code in them! Please watch out! #121
Comments
|
yep, if you go to http://breadcat.cc its... something |
Interesting site.. definitely as a cover-up |
|
It also says "I make Minecraft stealers" |
|
Hi! I know of one case where this exact mod you referenced lead to stolen credentials and in game items gone. The user has many repositories, different skyblock mods, all open source, all copied, and I am guessing all containing this exact file. I am now going to check the rest of them and submit a detailed report on Github (perhaps it does something). I will also post the text of my report here once it's done, if you (@EnderC00kiez @5vl) and others reading this could report him (https://github.com/skyblocknerd13) just sending a reference to that post even, that would be a huge help! |
|
@3niXboi I didn't look at his other repos, although I'd definitely expect it. Good luck on the report - GH will ban them for sure. |
|
I have completed the report, I will post it here in the next message. Please report him for malicious software and send this as a reference. I found traces of obfuscation in 2 of the repositories, one of them being the one you previously found (edited 11 days ago after you made this post). Could be he is watching this thread. Hopefully support gets him banned before he deletes his repos. By the way @5vl he had the same grabber in all of his 10 other repositories, with minor changes and quite pitiful attempts at obfuscation, if any. |
|
This user (skyblocknerd13) has multiple repositories containing only compiled files with copied code from other (legit) sources, that are genuine Minecraft mods. He then adds malicious code including a token grabber to get access to the user's Minecraft login credentials. He then uploads only the compiled executable files to his repository. These upon running give the attacker access to their Minecraft account, and I know about one case where this lead to them logging on and ruining a (Hypixel Skyblock) profile. Here are a few examples:
|
|
Sent a report! Waiting for GH to reply/take action. |
|
@EnderC00kiez Thank you! The URL the data was sent to is operated by Cloudflare, meaning we don't know much about who does this other than his province and country. I won't share that here tho, as it might conflict with the community guidelines. Judging by the repository I think a few people have been targeted by this other than this one instance I know of. Hopefully he gets banned and it doesn't happen again! edit: The first search result on bing if you type in "Dankers skyblock mod" is the malicious one. Hope he gets banned soon! |
|
I'm going to report breadcat's website to cloudflare, to hopefully stop the connections for a while, then if we can unmask anything, we can proceed from there. |
|
Thank you for all this info @3niXboi - I'll also report him to GitHub now, and the website to cloudflare and whatever other company/companies is/are involved. |
|
Reported to GitHub & cloudflare, both linking to your comment! |
|
I also found (what I think is) their hosting! In nr 4 (NEU) you can see "egirlpartey.ddns.net", which when I ping it returns an IP of a hosting provider. They also have a nice abuse email address! I'll make sure to send them an email as well. Edit: |
|
@3niXboi @EnderC00kiez - User is now removed from GitHub!
|
|
Cloudflare also forwarded a copy of my abuse report to their hosting provider!
Get Outlook for iOS<https://aka.ms/o0ukef>
…________________________________
From: 5vl ***@***.***>
Sent: Thursday, June 30, 2022 6:16:47 AM
To: bowser0000/SkyblockMod ***@***.***>
Cc: Ike Welborn ***@***.***>; Mention ***@***.***>
Subject: Re: [bowser0000/SkyblockMod] More fake DSM's with malicious code in them! Please watch out! (Issue #121)
@3niXboi<https://github.com/3niXboi> @EnderC00kiez<https://github.com/EnderC00kiez> - User is now removed from GitHub!
[image]<https://user-images.githubusercontent.com/66801986/176653323-979660c3-f1c0-493e-add6-93cbc6466ef2.png>
—
Reply to this email directly, view it on GitHub<#121 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AL32RPZEA7EHD7PQWK6MTPLVRVXY7ANCNFSM5YGHG67Q>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
|
@EnderC00kiez @5vl Thank you so much for everything! |
|
hmm... new closed-source github repo with the same name, link: https://github.com/Sk1erLC/Dankers-Skyblock-Mod |
|
@EnderC00kiez Yikes - I'll make sure to report it as well |
|
@EnderC00kiez Sigh, some more to report I guess... |
|
it seems like a bot posting multiple skyblock mods with malicious code injected. it's always the original filename (of the latest release of the actual mod) edit: repo name for DSM is always Dankers-Skyblock-Mod |
|
@EnderC00kiez Yeah the file name is always latest release, but that isn't hard seeing that the last release was over a year ago.. |
|
Now Sk1erLC has been deleted... Was that GitHub or just them? @5vl |
|
I don't know. I hope it was github, because if it was them there'll probably be a new one very soon. Not that there wouldn't be if it was GH, it would maybe take a bit longer for them to know |
|
If this naming pattern continues, we should be able to check https://github.com/search?q=Dankers-Skyblock-Mod&type=repositories to see if there are more - unless they are watching this thread |
|
https://github.com/verifiedcode/Danker-s-Skyblock-Mod-v1.8.6-for-MC-1.8.9 Side note: wrong description lol
|
|
This one's empty: https://github.com/DANKER5/1.8.9-Danker.s.Skyblock.Mod.-.1.8.7 |
|
impersonator le thirde: https://github.com/Bowser00/SkyblockMod |
|
Theyd be stupid to not watch this thread ngl |
https://github.com/skyblocknerd13/Dankers-Skyblock-Mod is fake. I decompiled the jar, and it had an extra class!
This is probably some kind of token logger.
Please watch out with what you download!
The text was updated successfully, but these errors were encountered: