Hackers used the popular Minecraft modding platforms Bukkit and CurseForge to distribute a new 'Fractureiser' information-stealing malware through uploaded modifications and by injecting malicious code into existing projects.

I guess after using the NPM and PyPI repositories to distribute compromised packages, malicious actors have moved to Minecraft plugin/mod repos.

Minecraft mod BOM’s when?