v11.0.99 // Microsoft Defender Detected Trojan Script

[wolfhunter9660]

Microsoft Detected a common trojan script in the .jar file. Defender classified it as Severe. Thank You, wolf_hunter9660

[shedaniel]

Hello, I have just uploaded the source cloth-config-11.0.99.jar that I uploaded to CurseForge to VirusTotal, and it came out safe from all the antiviruses (including Microsoft Defender).

VT: https://www.virustotal.com/gui/file/4091017e8c5eb4cac83a8e44d38aa41252b96104425de722988e813619ee9aae

It is very possible that your system is infected with a virus that injects all jars, please read more along https://github.com/fractureiser-investigation/fractureiser

Cloth Config is safe, however, in the event that your system is not infected with the virus I just linked. Please contact me through Discord (you can join through https://discord.gg/Vs9AVkxjYY) or through Twitter (@shedaniel_ notice the underscore). I would like to get a sample of your injected jar. This is a very serious issue, and I wish you the best.

[wolfhunter9660]

Update on the situation. I have checked out fractureiser investigation aswell as did a full jar infection scan with nothing found.

I originally downloaded the jar file via modrinth, so i tried downloading it via curseforge with no issues or detection which i found odd. hopefully this information would help.

Thank you for your support on the issue, wolf_hunter9660

[Ashnard]

Hello there, just adding my two cents, I just downloaded the mod for 1.20 on Modrinth and Windows Defender detected it when trying to run it on Fabric

[shedaniel]

Would you mind sending the (supposedly infected) jar over as for investigation?

[deshao]

I downloaded the mod for 1.20/fabric from Modrinth and Curseforge today (6/9/23), and both were detected by windows defender as Trojan:Script/Wacatac.B!ml

[kindalas]

I too got this warning from Microsoft defender.

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Trojan%3AScript%2FWacatac.B!ml&threatid=2147735503

I downloaded the 1.20 Fabric version from Modrinth.

I used the scanning tool linked above and there was no evidence of infection and I have no used any of the mods that were discovered to be infected or downloaded any mods from Curseforge during the period where compromised accounts were believed to exist.

I suspect that this is a false positive from MS Defender.

[shedaniel]

Please contact me through the methods above or via email daniel@shedaniel.me with your jar. I would like to collect more information about this.

Again, uploading the jar to VirusTotal says it is not infected.

[shedaniel]

Thank you everyone for your comments, it was determined that this is a false positive by Microsoft Defender, and now no longer flags Cloth Config as a trojan.

I will close this issue, please continue to reach out if you have further questions about this.