Chorb, admin for Luna Pixel studios:
Hi, LPS dev here, would like to clear up a few things:
As of a couple hours ago, tens of mods & modpacks, mostly on 1.16.5, 1.18.2 and 1.19.2 have been updated to include malicious files. These projects include When Dungeons Arise, Sky Villages, and the Better MC modpack series. The Curseforge profile of these accounts show someone logging into them directly.
It is very likely that someone has access to several large Curseforge profiles and have found a way of bypassing 2FA to log into them.
Discord Anouncement by Luna Pixel studios with more info
Direct Message link to CurseForge discord post by community moderator
If you are a MineCraft Enjoyer (and I’d suggest until the impact is understood, if you play any game that uses mods or addons through CurseForge, like WoW for example), in an abundance of caution don’t update your mods/addons.
Apparently the intent of the malicious code is to make infected servers into botnet nodes.