Unfortunate but urgent announcement to make.

If you use PolyMC as your launcher, we are urging all users to switch off of it immediately. Not tomorrow, today. The main keyholder for PolyMC's infrastructure has been compromised. We are currently recommending ATLauncher (atlauncher.com/) and MultiMC (multimc.org/) instead, and may have news about more alternatives at later dates.

This cannot be emphasized enough: uninstall PolyMC immediately if you have it installed.

Follow

@modrinth xeiaso.net/blog/OVE-20221017-0 seems to be a good succinct description of the situation.

@robryk @modrinth Nice to see a software project finally standing up to the troons.

@modrinth Frankly, this seems to me to be something-like-a-vulnerability since forever: using polymc gave code execution on your desktop to whoever runs the metadata server, without leaving any verifiable audit traces (something like binary transparency logs could be used to leave indelible audit traces of all versions of meta files that were ever used by clients). If I understand the related threads on twitter correctly, then metadata server would be contacted without explicit user request when "shit updates itself" (github.com/NixOS/nixpkgs/issue), so the rate at which that happens is likely nontrivial (so acquiring access to the metadata server would be valuable from the POV of creating a botnet).

Sign in to participate in the conversation
Qoto Mastodon

QOTO: Question Others to Teach Ourselves
An inclusive, Academic Freedom, instance
All cultures welcome.
Hate speech and harassment strictly forbidden.