This Popular Minecraft Plugin Has A Malicious Backdoor

Added: 2026-06-04

[00:00:00]So, a few days ago, a developer reached out to me with some very disturbing findings. They found a Minecraft plugin publicly available on Modrinth with over 15,000 downloads that had an active backdoor built in, which would allow the developer of that plugin to gain OP on any Minecraft server it is installed on.

[00:00:20]Now, that is really bad. Actually, that is straight-up malware. And due to the way this plugin was designed, it was totally possible to swap out the back end and make it inject an actual virus into your Minecraft server. So, let's break down what is going on. And while we do that, make sure to break down the subscribe button as well. I would appreciate it. So, it all started when I received an email from an anonymous developer. They are currently building their own Minecraft server, and they wanted a name tag plugin. And they stumbled upon a plugin named NameTags.

[00:00:52]Just NameTags. Now, he threw the plugin onto his server, and it worked surprisingly well. The plugin was fully functional, and it got the job done. But as this anonymous developer was a developer himself, too, he got really curious about how the plugin worked internally. So, he decided to take a look. And this is where the first red flag started to appear. The plugin was completely closed source and obfuscated.

[00:01:17]Usually, free Minecraft plugin developers opt for an open-source approach as it creates a lot of trust.

[00:01:23]But in this case, every piece of code was obfuscated. The only code that was publicly available was that of the API.

[00:01:30]Now, seeing this made the plugin immediately very suspicious. So, the anonymous developer decided to have a look inside of the jar, which is where more red flags started to arise. For some reason, the plugin was not showing regular plugin logic. It seemed like the plugin was not even a plugin at all.

[00:01:48]Instead, it was a loader. A loader that, as soon as executed, would download a completely separate plugin from the website of the developer, and it would save it as a temporary file. A file only available for as long as the server is booted, and as soon as the server booted down, the temporary file would just disappear. Now, having loaders is not unheard of, especially not with paid Minecraft plugins, but remember, this one was 100% free. So, the anonymous developer decided to dig even deeper into this random jar that the loader downloaded, and this is where all the pieces started falling into place. One of the commands of the Nametag plugin was showing some very odd behavior. That command is {slash} Nametag debug. For some reason, this particular command did not have any permission checks whatsoever. So, the plugin was not actually checking if a player should be allowed to execute this command, yes or no, even though every other command did have a permission check. So, that was weird, but then he discovered that this command did actually have a check, but it was not doing a permission check, it was only checking if the command was being executed by a specific player with a specific UUID, the UUID of the developer. And if that check returned true, it would grant OP to that player.

[00:03:06]Now, that is really bad. So, in short, the plugin worked fine in normal, but a single command, {slash} Nametag debug, when executed by the developer of the plugin, would grant that developer OP on the server, no matter what, which means that he can get OP on every single server where this plugin is installed.

[00:03:25]Well, then, that is a very malicious.

[00:03:27]Now, this anonymous developer has sent me over a bunch of code snippets showing some of this insanely strange behavior.

[00:03:34]You can see the code is checking a player's UUID, seeing if it is equal to a predefined one, and if it returns true, it will set the player to OP, and it will send a little message in chat that says, "OP granted." In this snippet, you can see the pre-specified UUID that it will be checking for. Yeah, that's really bad. So, after this anonymous developer discovered this, they immediately reached out to Modrinth, and they showed them all their findings. Here is a screenshot of that entire report. You can see the developer explained the entire situation, and after that, Modrinth's response is, "Thank you for the report. After additional verification, the given backdoor code has been located, and we have taken their projects down from Modrinth accordingly. Every single project from this developer is now no longer available on Modrinth, which is a really good thing. But, the story isn't fully over, because while the plugins are no longer available on Modrinth, they are still available on the developer's own website. In total, they have 12 plugins here. I want to make very clear that this anonymous developer has not looked into the other 11, only the name tag one. So, if all of these plugins contain the same backdoor, we don't know, but the name tag one at least does. And also, not every single one of them, only the loader version.

[00:04:49]This anonymous developer also decompiled the legacy versions of this plugin, and these do in fact not contain this backdoor. And this is probably how it was unnoticed by Modrinth for so long.

[00:05:01]These plugin and mod distribution websites, they can't check every single update that is released for a project.

[00:05:08]So, instead, they check the very first release, then they approve or deny it.

[00:05:12]After it's approved, it is publicly available on the website, but updates are no longer checked. So, what likely happened is this legacy version was first uploaded to Modrinth. It was then approved by the team, because the plugin itself was working totally fine, and no backdoor was to be found. But, then eventually, the developer replaced it with a loader that would actually download the plugin with the backdoor from their own website. And they tried to hide this fact by making that download the plugin a temporary file that would get deleted as soon as the server shut down. Now, that is of course very shady and really malicious, especially because the developer can just at any time switch out what file the loader will download. One day the plugin may just download straight up a virus. But even OP can do a lot of damage on a Minecraft server, especially a Minecraft server that earns a bunch of revenue. For example, a server that's selling ranks or crates. Having someone randomly gain OP on there can be really bad. But even though the plugin is no longer available on Modrinth, it is still available on the developer's own website. And the biggest problem right now is that a bunch of servers are still using it. When we go to the BStats of NameTag, you can see that there are currently 922 servers online that have this plugin installed. Now we don't know how many of these are using the legacy version, which doesn't have the backdoor, but if we assume that the majority of these are on the most recent version, that is a potential 922 servers that this developer can just gain OP on by executing a single command. Really bad stuff. So, moral of the story is um be careful out there, especially when it comes to downloading plugins from other websites than Modrinth and CurseForge.

[00:06:53]Of course, the moderation on these platforms is not perfect either, but as soon as something malicious is found, they're at least taken down. But for developer's own website, this is of course not the case. And no matter how professional such a website may look, you never know what's going on behind the scenes. And with all of that being said, that's going to be it for today.

[00:07:11]Do make sure to sub to the channel, join my Discord. Thank you so much, channel members. And then, I will see you in the next one. Bye-byes. See you later.

[00:07:20]Bye-bye.