Waiting for proper disclosure from the Xeros team. Until then, I've gone ahead and removed the OP and locked the thread. Earlier today, it came to our attention that Xeros had been compromised.
It would appear that there has been a password stealer for Chromium-based browsers (Chrome, Brave, Opera, Yandex, etc) as well as a Discord token stealer in both the client jar and the launcher for at least the past couple of days.
It's hard to say exactly how long as we are going by the modification date of the malicious files, which are dated November 2nd 21:00 UTC+0. However, all this means is that it is likely the current version of the malicious jar has been around since about that time. This does not mean that people who played the server prior to that date are safe:
- File modification dates themselves can be modified, obviously. This means something can be created in the past and then be given a date in the future.
- The current malicious code may only be the latest iteration. Xeros may have been compromised prior to November 2nd 21:00 and may have had a different malicious jar on the site, which may have been swapped out at later date for the current one, for whatever reason (e.g., replacing the jar with the latest client update, adding more features to the malicious code, fixing a bug in the malicious code, etc).
It is absolutely certain that both the client jar and launcher on the site are affected. However, what is less certain is the situation for users who have been using the auto-updating launcher prior to whenever the website was compromised.
I have received an older version of the launcher from the 11th of October from @
Clayus that does not appear to have any malicious code embedded inside of it. The older launcher downloads the client itself from a URL located on a separate server hosted at NFOservers, which is the same URL used in the malicious launcher. The jar found at that URL does not appear to be infected. So, while I would never speak in such certain terms as "you're safe if you played before X date"—and I hope the Xeros team also refrains from such language when they make their announcement—but it would
appear that only the Xeros website itself was compromised and players who played with the launcher prior to this week may be okay.
Regardless of which camp you are in, I would highly recommend that you take proper steps to secure your computer as well as change your passwords.
Special thanks to @
FlSK for bringing this to my attention.