NameTags Backdoor Gave Dev OP On 900 Minecraft Servers

Plugin with 15k Modrinth downloads hid code letting its creator seize operator powers on any server it ran on. Modrinth removed everything after the report but the dev site kept shipping the malicious build and over 900 servers are still running it right now.

The Minecraft server plugin scene runs on trust. You download something from Modrinth, drop it in, and hope it does not nuke your world or hand the keys to a stranger. That trust just took another gut punch.

What the backdoor actually did

According to the breakdown, NameTags contained a loader that fetched extra code from the developer Apollo’s site. A concealed command bypassed normal permission systems. When triggered by the correct UUID it handed operator status instantly. Any server running the affected build was effectively owned the moment the dev felt like using it.

Nearly a thousand live servers still have this thing installed per bStats data. The ecosystem let a backdoor spread at scale before anyone noticed. That is not a one off glitch. It is the predictable result of low barriers and weak verification.

KasaiSora laid out the timeline clearly. An anonymous tip led to code review. Modrinth pulled every project from the developer within hours once they confirmed the malicious payload. The official page for NameTags is gone from their catalog.

Yet the developer site is still up. The downloads are still available. Server lists show 922 instances actively running the plugin. The fix is not automatic. Every admin has to check their installs the hard way.

The obvious takeaway

Plugin repositories cannot catch everything in real time. Modrinth responded correctly once alerted but the damage window was already wide open. Server owners treating every download as safe are rolling the dice with their communities and data. Audit what you run. Verify signatures where possible. Stop assuming good faith is the default in a scene full of anonymous uploads.

15,000 plus downloads on Modrinth before removal
Backdoor tied to developer UUID for silent OP access
Modrinth removed all projects from the account after verification
Developer website continues distribution
922 servers confirmed running it via public stats

The video does not speculate on motive beyond the obvious power grab potential. It focuses on the technicals and the current exposure level. The server admin community is now on notice again that one slipped dependency can compromise an entire network. Expect more scanners and stricter review processes to follow.

News

Modrinth Malware Disclosure History

Youtube

KasaiSora Channel

NameTags Backdoor Gave Dev OP On 900 Minecraft Servers

What the backdoor actually did

The obvious takeaway

LATEST MINECRAFT NEWS

NameTags Backdoor Gave Dev OP On 900 Minecraft Servers

Dappled Forest Biome Revealed For Late 2026

Cute Meowcraft Mod Exposed As Infostealer

Minecraft Live 2026 Surprise Drops With LEGO Reveals

Jack Black Lava Chicken Car Footage Hits From Minecraft Sequel Set

Tubbo Calls QSMP a Genuine Family in Viral Post

Discord Scammers Hit Minecraft Modpacks With Infostealer Malware

Lifesteal SMP Heads To TwitchCon As Stakes Keep Rising