PolyMC has been compromised!

Protonull · October 18, 2022

Please backup your instances, uninstall PolyMC, and revoke its consent. If, however, you are content to keep PolyMC then it’s recommended to do the following:

  • Update the Microsoft API Key (Settings → APIs → API Keys → Microsoft Authentication) to c36a9fb6-4f2a-41ff-90bd-ae7cc92031eb (Reference). You wont be able to login otherwise.

  • Update the metadata server (Settings → APIs → Services → Metadata Server) to https://meta.prismlauncher.org/v1/ (Reference)

  • Change the user agent (Settings → APIs → Miscellaneous → User Agent) to something innocuous like Foobar (Reference)

  • Disable auto-updates, which is a little trickier. You’ll need to close PolyMC and ALL instances that may be running, then you need to access the polymc.cfg file with a text editor and change the AutoUpdate=true line to AutoUpdate=false and save. You may be able to find the file via a search, but you should ordinarily be able to find the file by clicking “Instance Folder” in the sidebar of PolyMC and going up two folders. Remember to close PolyMC before opening the file.

The ousted developers have created a new fork, the Prism Launcher (Github, Discord).

(Please keep in mind that these timestamps are BST)

Here’s the tea.

At 7:55pm, LennyMcLennington deleted the Code of Conduct from the PolyMC repository, labeling it “reclaim polymc from the leftoids”. (Reference)

At 8:18pm, LennyMcLennington stated in the PolyMC Discord: “[PolyMC] was politicised by leftists as soon as the contributor covenant got added and they started adding pride flag emojis on the discord server” (Reference)

At 8:25pm, Scrumplex seemingly created a new Discord server named “PlaceholderMC” stating that they didn’t know what was going on over at PolyMC; that all maintainers were banned by LennyMcLennington; and that the new Discord was their raft now. (Reference)

At 8:27pm, dada513 stated in the PlaceholderMC Discord that LennyMcLennington, a founder and maintainer of PolyMC, had gone rogue; that they didn’t know whether Lenny’s account had been compromised or not; but that Lenny had removed all permissions and membership from the Github organisation. (Reference)

At 8:28pm, LennyMcLennington said in the PolyMC Discord: “They say it’s compromised but all they mean is that i removed all of the contributors’ permissons who were promoting radicalist leftist queer ideology, and people really think that I got hacked just because I was never public about hating this shit.” (Reference)

At 8:36pm, Modrinth tweeted:

At 9:26pm, Scrumplex announced in the PlaceholderMC Discord that any previous donators to PolyMC should attempt to chargeback their donations. (Reference)

At 9:44pm, BowDown097 said in the PolyMC Discord: “there is also no malware, nor will it ever be added into the project. whoever is spreading that is probably a coping power mod. this was simply an effort to purge the project of radical leftists and do a little trolling. we are in vc laughing our asses off. there is still an interest in continuing the project in some form. use whatever you want to use though 🤷” (Reference)

At 10:01pm, adeadhead linked to Modrinth’s tweet in the Icenia Discord. (Reference) This lead me to joining the PolyMC Discord for more information and seeing a packed event-voice chat. After joining, they, the people with unmute permissions, were imitating Zelenskyy’s accent and being openly transphobic.

At 10:11pm, Scrumplex posted in the PlaceholderMC Discord an answer to an FAQ stating that some packages are still under their control, such as the Flatpak, but also notes that LennyMcLennington was banned from AUR. (Reference)

At 11:24pm, LennyMcLennington made an announcement in the PolyMC Discord claiming that he uses two-factor authentication for Discord and Github, and linking to a public-paste of a PGP-signed message. (Reference)

18th October

At 00:14am, Zeke announced in the PlaceholderMC discord that they’ve reached 2000 members. (Reference)

At 9:21am, PlaceholderMC was renamed to Prism Launcher. (Reference)

At 11:29am, LennyMcLennington announced in the PolyMC Discord that PolyMC’s “MSA client ID” was deleted by the ousted developers and that a new one will be needed to login to Minecraft with PolyMC. (Reference)

At 1:10pm, cozyGalvinism announced in the Prism Community Discord that they’ve reached 4000 members. (Reference)

At 3:18pm, LennyMcLennington made a series of announcements in the PolyMC Discord stating that no malicious code had been added to PolyMC; that people are free to choose other launchers or change the settings within PolyMC; and that he will personally check any and all new contributions. (Reference)

It’s unclear what specifically triggered LennyMcLennington. Though his propensities were hinted at in various places, like naming a commit “penis” and recommending a troll theme for PolyMC, but this was nonetheless rather drastic and will inevitably haunt his reputation. Similarly, the offhanded way they say “there is still an interest in continuing the project in some form” suggests a bleak future for PolyMC too.

It’s still possible, perhaps, that LennyMcLennington’s account was hacked, but it’s more likely that this was a coup. For this reason I have to agree with the sentiments of the Prism Launcher developers that PolyMC is no longer safe to install and use: you don’t want to have auto-updating software made by someone who’ll coup their development team over pride flag emojis on the project’s Discord server.

Update: At roughly 8:30pm, I was banned from the PolyMC Discord, so there may not be anymore updates regarding PolyMC from here on out.

For context, all of the PolyMC Discord’s public text channels were locked after they finished “laughing their asses off in vc” since every channel was being inundated with extremely Terms-of-Service-breaking messages and images. Lenny attempted to contain this by opening some new text channels, but the same thing spilled into those too. He then tried limiting message history with the express intention of avoiding reports to Discord, but he soon gave up and deleted those channels altogether. He then attempted to create another channel, warning people that they’ll be banned for breaking the Terms of Service, but this too had little to no effect.

I got banned for sarcastically praising Lenny’s good work and how nobody could’ve possibly predicted that publicly purging “leftoids” and “radical leftist ideology” would foster such a lovely community full of pleasant people with very peaceful and tolerant views. I suppose he didn’t find that funny. I suppose he’s not such a fan on trolling when it’s against him. Interesting.

I have been making various tweaks to the article. You can scrutinise these here if you so choose.