[RESOLVED!] Malicious code on CurseForge; access to CF has been disabled for ferium users

[theRookieCoder]

This has been resolved by the major mod distribution sites! See the comment below for information about how to use CurseForge with ferium again.

Expand the section below to see the original message.

Original Message

What's happening?

Many Minecraft-modding Discords have been spreading the news that some accounts of popular mod(pack) developers have been taken over. This is also being actively exploited to upload malware, notably bot-nets and system-level backdoors. You can get more detailed info from Prism Launcher's blog post, or by reading relevant messages on Discord.

What should you do?

DO NOT DOWNLOAD ANYTHING FROM CURSEFORGE
This is the most important step. If you have already done so, delete it permanently. If you've already run possibly-infected mods, disconnect your computer from the internet (physically if possible), or cut power to be extra cautious. Follow the steps on the blog post if you're comfortable with deleting system files.

What have I done to protect ferium users?

By refreshing my API key, I have invalidated the key currently in use. This means that it is now impossible for ferium users to access CurseForge unless they provide their own key. I will be releasing an update with a working API key once CurseForge deletes files with malware and ensures that these authentication bypasses have been rectified.
If this is not properly done, I will no longer provide a default CurseForge API key with ferium.

So how do I play with mods now?

You can still download mods from Modrinth and GitHub Releases, including using ferium. To my knowledge, neither of those have been compromised.

[theRookieCoder]

Here is CurseForge's statement: https://support.curseforge.com/en/support/solutions/articles/9000228509-june-2023-infected-mods-detection-tool

You can download their tool to check if you have been affected.

[Oddfrogg213]

is there a Mac version of that tool anywhere

[theRookieCoder]

This malware does not affect macOS, it only targets Linux and Windows.

[theRookieCoder]

Although I will be releasing an update asap, you can set CURSEFORGE_API_KEY to $2a$10$sI.yRk4h4R49XYF94IIijOrO4i3W3dAFZ4ssOlNE10GYrDhc2j8K. (my new key) to get CF working again.

[ST-DDT]

For easier copy pasting:

Linux/sh:

ferium --curseforge-api-key '$2a$10$sI.yRk4h4R49XYF94IIijOrO4i3W3dAFZ4ssOlNE10GYrDhc2j8K.' upgrade

Windows/cmd:

ferium --curseforge-api-key "$2a$10$sI.yRk4h4R49XYF94IIijOrO4i3W3dAFZ4ssOlNE10GYrDhc2j8K." upgrade

[theRookieCoder]

You can also alias ferium to ferium --curseforge-api-key '$2a$10$sI.yRk4h4R49XYF94IIijOrO4i3W3dAFZ4ssOlNE10GYrDhc2j8K.' if environment variables aren't easy to configure.

[AvallonAB]

It doesn't work for me as well, I used ferium --curseforge-api-key '$2a$10$sI.yRk4h4R49XYF94IIijOrO4i3W3dAFZ4ssOlNE10GYrDhc2j8K.' add 308892. Sorry for bothering

[PingIsFun]

Also don't forget to escape $ when adding it as an alias

alias ferium="ferium --curseforge-api-key '\$2a\$10\$sI.yRk4h4R49XYF94IIijOrO4i3W3dAFZ4ssOlNE10GYrDhc2j8K.'"

[ST-DDT]

@theRookieCoder It looks like these workarounds cause quite some confusion. Is there an ETA for the new release?

[theRookieCoder]

Also don't forget to escape $ when adding it as an alias

I would absolutely not recommend this, it's really hard to find and escape every special character, and you could easily miss a character. Single quotes can be used to input a 'raw' string that doesn't have any formatting.

@AvallonAB the snippet you provided works fine for me, are you actually getting 403 forbidden errors or something else? Also I'm not sure if raw strings work like that in Windows shells.

[AvallonAB]

yes it's the 403 error

edit: I fixed the issue by using double quotes. I'm not sure how it fixed the issue but it appears you were right about raw strings. Thanks a lot!

[T3sT3ro]

Is there a way to set API_KEY in config somewhere, or do I have to recompile ferium?

[theRookieCoder]

You can either use the environment variable CURSEFORGE_API_KEY or the CLI flag --curseforge-api-key

[tliron]

I would humbly suggest adding a line to read this from the config.json, too. Thank for your excellent software.

[KabanFriends]

Will there be a new build with updated CurseForge API key?