Unfortunate but urgent announcement to make.
If you use PolyMC as your launcher, we are urging all users to switch off of it immediately. Not tomorrow, today. The main keyholder for PolyMC's infrastructure has been compromised. We are currently recommending ATLauncher (https://atlauncher.com/) and MultiMC (https://multimc.org/) instead, and may have news about more alternatives at later dates.
This cannot be emphasized enough: uninstall PolyMC immediately if you have it installed.
@modrinth Frankly, this seems to me to be something-like-a-vulnerability since forever: using polymc gave code execution on your desktop to whoever runs the metadata server, without leaving any verifiable audit traces (something like binary transparency logs could be used to leave indelible audit traces of all versions of meta files that were ever used by clients). If I understand the related threads on twitter correctly, then metadata server would be contacted without explicit user request when "shit updates itself" (https://github.com/NixOS/nixpkgs/issues/196460#issuecomment-1281510701), so the rate at which that happens is likely nontrivial (so acquiring access to the metadata server would be valuable from the POV of creating a botnet).