OFFSITE.DARK
← Signals

Jun 29, 2026

1 min

Sploitus / Exploitarium

  • lunar
  • modrinth
  • electron
  • rce
  • exploitarium

news

Lunar Client Modrinth Explore RCE Chain

rehypeRaw Markdown + preload IPC forges Modrinth profile overrides and openExternal local launcher — critical candidate CVSS ~9.6.

Summary

RehypeRaw Markdown + preload IPC forges Modrinth profile overrides and openExternal local launcher — critical candidate CVSS ~9.6. This proof-of-concept is one of 30 folders in the Exploitarium collection. OFFSITE.DARK summarizes the upstream README and PoC design; we did not discover or weaponize this flaw.

Key Findings

FindingDetail
Product / targetLunar Client (Electron) June 2026 builds
PrimitiveRaw HTML in Explore + profile override extraction + shell.openExternal on .lnk
ImpactVictim views malicious Modrinth project in Explore → desktop-user code execution without launching Minecraft.

Attack Chain

Malicious MD → iframe JS → forge profile → extract overrides → openExternal launcher

Mitigation

Sanitize Modrinth HTML; restrict openExternal; validate override paths outside user-writable dirs.

Related Signals

Sources

→ Source