[oefrha]

> A CDN compromise or cache poisoning is not out of the question due to Curse's usage of the extremely outdated and insecure MD5 to verify downloads.

If someone found an md5 preimage attack, they wouldn’t burn it on some random Minecraft players.

[barking_biscuit]

It's one of the biggest games in the world, so I can see the appeal of targeting Minecraft players, especially since a lot of them are children and don't know what's going on. I checked my sons computer for this malware yesterday, and luckily he wasn't infected, but I ran OSForensics on his computer afterwards to see if he did get infected what kind of data an attacker might be able to get, and there was all sorts of PII from myself and my wife having used that computer before at one point or another. I'm sure with such a large install base there's plenty of opportunity to steal lots of valuable info.

[Sebguer]

Some of the very first reports of log4j were against Minecraft servers. If you go look at the original Github issue in which it was identified, all of the posts prior to anyone understanding its gravity were from Minecraft server operators.