Are Minecraft mods safe to download?

Mods from the two trusted sources — Modrinth and CurseForge — are safe the vast majority of the time, because both scan uploads and moderate their files. The danger comes from third-party 'free download' sites that repackage popular mods with malware baked in. A Minecraft mod is a .jar file that runs real Java code with full access to your computer the moment the game loads it, so installing one from an untrusted site is effectively running a stranger's program. Stick to Modrinth and CurseForge, verify the author, and you remove almost all of the risk.

What are the safe sites to download Minecraft mods?

Modrinth (modrinth.com) and CurseForge (curseforge.com) are the two trusted, moderated sources for Minecraft mods. Both host files directly, scan uploads, and show the real author and version history. Avoid any other 'mod download' site — including ones with names like mc-mod.net that copy CurseForge's or Modrinth's design — as those are the main way token stealers and remote-access trojans get distributed disguised as popular mods.

How do I check if a Minecraft mod has malware?

Download only from Modrinth or CurseForge, confirm you're on the genuine domain, and check the mod page: a real mod has a consistent author, a version history, and an active community. Before running an unfamiliar .jar, upload it to VirusTotal to scan it against dozens of engines. Be suspicious of mods that ask you to disable your antivirus, download an extra 'installer' or 'launcher,' or come from a freshly created account reposting a popular mod. You can also check the developer against the VerifyUGC blacklist to see if they've scammed anyone before.

Home / Resources / Is That Minecraft Mod Safe?

Is That Minecraft Mod Safe? How to Avoid Malware Downloads and Which Sites to Trust

Q: What was the fractureiser Minecraft malware?

Fractureiser was a 2023 supply-chain attack in which several CurseForge and Bukkit accounts were compromised and used to upload infected versions of popular mods and modpacks. The malware stole browser data, Discord tokens, and crypto wallet information, and tried to spread to other .jar files on the system. CurseForge and the modding community responded quickly with detection tools and cleanup, but it's the clearest example of why even trusted sources require you to verify the author and stay current on security news.

Mods are what keep Minecraft fresh — but they're also one of the most reliable ways to get malware onto a gaming PC. A mod is a .jar file: real Java code that the game runs the instant it loads, with full access to your computer. Download one from the wrong site and you're not adding shaders, you're running a stranger's program. Here's why mods are such a popular malware vector, the only two sites worth trusting, and exactly how to check a mod before you install it.

Part of the Minecraft Community Safety guide.

Why Minecraft Mods Are a Malware Magnet

Three things make mods irresistible to attackers. First, the format: a mod isn't a config file or an image, it's executable Java code. When Minecraft loads a mod, that code runs with the same permissions as you — read your files, open network connections, launch other programs. There's no sandbox. Second, the audience skews young and trusting, and the install ritual ("download the jar, drop it in your mods folder, launch") trains people to run unfamiliar files without a second thought. Third, demand is impatient: when a mod updates or goes viral, thousands search "[mod name] download" and click the first result — exactly the gap fake sites exploit. The result is a steady stream of victims who deliberately download an attacker's code, then dismiss the antivirus warning trying to stop them.

The Only Two Sources You Should Trust

The single most important habit in this guide: get your mods from Modrinth or CurseForge, and nowhere else. Both are moderated platforms that host files directly, scan uploads, show the real author, and keep a public version history. They aren't perfect — no platform is — but they remove almost all of the risk, and everything else here is about closing the small gap that remains.

Modrinth — modrinth.com

The modern, open-source mod host. Check the address bar reads exactly modrinth.com (not modrinth.net, .org, or a hyphenated look-alike). Real mod pages show a verified author, download counts, supported versions and loaders, and a changelog. Files download straight from Modrinth — you're never bounced to a third-party "download host" with a countdown timer and a pile of ads.

CurseForge — curseforge.com

The long-established host behind most modpacks and the CurseForge app. The genuine domain is curseforge.com; a real mod page has a consistent author with a history of projects, a version list, and an active comment section. If you use the desktop app, download it only from the official site — fake "CurseForge launcher" installers are themselves a malware vector.

Fake Mod Sites: What They Look Like

The dangerous sites are built to look legitimate. They use domain names that read almost right — things like mc-mod.net or a near-miss spelling of a real host — and frequently clone the actual design of CurseForge or Modrinth so the page feels familiar. The tells are consistent:

The download is indirect. Instead of the file, you get a "Download" button that leads to another site, a countdown, a "your file is ready" pop-up, or a prompt to install a separate "downloader" or "launcher." Real hosts serve the .jar directly.
It's an unfamiliar domain ranking for a popular mod. If you searched a mod name and landed somewhere that isn't modrinth.com or curseforge.com, treat it as hostile no matter how polished it looks.
It rushes or scares you. "Disable your antivirus to install," "this is a false positive," and aggressive "DOWNLOAD NOW" banners are designed to push you past your own instincts.
The file is wrong. A mod should be a .jar. If the download is a .exe, .scr, .bat, or a password-protected archive, it is not a mod.

How Malware Gets Into Mods

Most infections come from those fake sites, but the trusted platforms aren't immune. A bad actor can compromise a legitimate creator's account and push an infected update to a mod people already trust. They can upload a fake "fork" — a fresh account reposting a popular mod under a slightly different name with malware added. And a supply-chain attack poisons something many mods depend on, so the infection rides along into otherwise-trusted downloads.

The clearest example is the fractureiser incident of June 2023. Several CurseForge and Bukkit accounts were compromised and used to upload infected versions of popular mods and modpacks. The malware stole browser data, Discord tokens, and crypto wallet information, and tried to spread to other .jar files on the machine. CurseForge and the community responded fast with detection scripts and cleanup — but it's the reason "I got it from CurseForge" isn't quite enough on its own. You still verify the author, and stay aware of security news when something big breaks.

What a Malicious Mod Can Actually Do

Because a mod runs as a real program, the payload is rarely "ruin your save." It's after things worth money:

Discord token theft. Grabs your login token straight from disk, letting the attacker take over your account without your password and spread the malware to your friends.
Crypto wallet draining. Scans for wallet files and clipboard activity, swapping copied wallet addresses or lifting credentials to empty balances.
Credential and browser theft. Steals saved passwords, cookies, and session tokens — effectively logging in as you everywhere.
Keylogging and remote access (RATs). Records what you type or opens a remote backdoor, handing an attacker ongoing control of your machine long after the game is closed.

How to Check a Mod Before You Install It

Even on a trusted host, run this quick check before a new .jar goes near your game:

Confirm the source and the exact domain. You should be on modrinth.com or curseforge.com — read the address bar character by character.
Verify the creator's identity. Real mods have a consistent author with a track record. A brand-new account reposting a popular mod is the classic fake-upload pattern.
Read the mod page history. A genuine mod has version history, a changelog, real download numbers, and an active community. A page with none of that — or comments warning others — is a red flag.
Scan the file with VirusTotal. Before running an unfamiliar .jar, upload it to VirusTotal to check it against dozens of engines. One or two low-quality detections can be noise, but multiple credible hits mean stop.
Never disable your antivirus to install a mod. No legitimate mod requires this. The request itself is the warning.

How VerifyUGC Helps

A lot of mod malware traces back to a person — a "developer" who repackages mods with a stealer baked in, or a commission seller who hands you a malicious build. That's where VerifyUGC fits. If a Minecraft plugin or mod developer has scammed or distributed malware before, you can find them on the VerifyUGC blacklist before you trust their files. And the VerifyUGC plugin & tool registry helps you tell a legitimately published mod from an anonymous, stripped-and-resold build handed over in a DM. Pair the trusted-source rule with a quick blacklist check on whoever you're dealing with, and you close the gap scanning alone can't.

If You Installed a Malicious Mod

Move fast — token and credential stealers do their damage in minutes:

Disconnect from the internet and delete the .jar from your mods folder. Then run a full antivirus scan, or a dedicated cleanup tool if a specific outbreak (like fractureiser) has a known remover.
Change your passwords from a different, clean device — start with email, Discord, and anything tied to money. Don't reset them on the infected machine.
Reset your Discord token by changing your Discord password, which invalidates the stolen token and logs the attacker out.
Secure crypto and payment accounts. Move funds to a new wallet created on a clean device, and watch for clipboard-hijacked transactions.
Turn on two-factor authentication everywhere once you're clean, so a stolen password alone isn't enough next time.
Report the source. Flag the fake site or compromised upload to Modrinth/CurseForge, and add the seller or "developer" to the VerifyUGC blacklist so the next person sees the warning first.

Mod Freely, Just Verify First

Mods are the best part of Minecraft, and you don't have to give them up to stay safe — just be deliberate about where they come from. Use Modrinth or CurseForge, read the address bar, verify the creator, scan anything unfamiliar, and check whoever you're trusting against the blacklist first. Take our free safety course for the full walkthrough, and add the bot to keep known scammers out of your community.

Check a Mod Developer Before You Trust Their Files

Run any Minecraft mod or plugin developer through the free VerifyUGC blacklist, and trace their work in the plugin registry before you install anything.

Run a Blacklist Check