Greetings!
Most likely you found this document from a link in an angry red message, or maybe a friend sent you a link to it.
Here's a TL;DR for the impatient readers:
- VRChat has a problem with malicious mods
- This includes both mods malicious to other users and their own users
- There have been numerous cases of malicious mods stealing accounts (not limited to VRC accounts) or harming users' PCs
- Malicious mods create a bad reputation for modding in general
- If malicious mods weren't a thing, VRChat wouldn't need to crack down on mods in general
- Using malicious mods or supporting them or their creators proliferates the issue
- Malicious mods don't provide any new (wholesome) features over existing wholesome mods
- Being an asshole to others (i.e. via malicious mods) is morally wrong
- Enabling others to be an asshole to others is even more morally wrong
- Therefore, you shouldn't use malicious mods, and encourage others to avoid them too
- This is a group effort, and every individual contribution matters
Mods are executable code and have full access to your PC, and therefore require the same precautions as running random executables from the internet. Most (if not all) antiviruses don't detect anything wrong with malware mods - they are a niche software type, which usually means that they are not in malware databases or machine learning datasets.
MelonLoader has certain protections that make it harder to hide what a mod is doing. While this doesn't prevent a mod from being malware in the first place, it's way easier to analyze a mod that passes MelonLoader checks to figure out if it does anything bad.
A normal mod has nothing to hide from its users. Trying to hide things is more often than not indicative of malicious intent, especially in the context of the VRChat modding scene, where the proportion of malicious mod makers is unusually high. Coincidentally, mods having something to hide are practically guaranteed to contain malicious features (more on that in the following sections).
Historically, there have been several cases of malicious mods stealing accounts (not limited to VRC accounts) or harming users' PCs in other ways, so this is not empty fear-mongering - the dangers are real, if uncommon. See the References section for examples of this.
As a side note, this also applies to unity packages to some extent. They can contain executable code too, and there have been recorded cases of "normal-looking" packages containing code to steal accounts (again, not just VRC one, but also Discord and other accounts you were logged in in your browsers). As such, singling out mods as dangerous is dishonest - unity packages are another non-obvious source of danger (and hopefully random executables are an obvious source of danger).
Do you consider yourself an evil person?
If so, try to become a better person instead of sticking to your existing ways - everyone is capable of self-improvement, and you'll be better off as a result.
Assuming you don't, take a moment to consider the use of malicious mods. They are made with the intent to let their users harm or inconvenience other users. Would you want to be on the receiving end of malicious features? Is being crashed fun? Is having an avatar you put hours of work into stolen enjoyable? Do you want your game world session interrupted by someone who teleports items all over the place?
Likely the answer to all of those is "no".
As such, there is no reason to use or have any of those features. Some may say, "but I only crash bad people!". However, fighting fire with fire, in this case, is completely ineffective. Block button works way better than crashing someone - you'll never see them again, ever, whereas a crashed player will just rejoin the instance (not to mention that many run anticrash mods these days). There are also kick and votekick buttons, which help get rid of problematic users.
This applies to many other malicious features - perhaps you won't abuse one, but someone else will. As such, providing those features to an unrestricted user base is not the right thing to do. All it serves to do is increase total un-enjoyment for other users. It actively makes the world worse on average.
If you take one step further, it logically follows that you shouldn't support people who make malicious mods. The less widespread malicious mods are, the better place VRChat would be for everyone. And denying any kind of support to malicious mod makers can greatly accelerate this - after all, if there's nobody to create trouble, where would it come from?
In conclusion, not only should you avoid using malicious mods yourself, you should encourage your friends to do the same, and shun people using them regardless. Even a single malicious feature poisons the well, so to say.
The next section plays into this too.
As a side note, if someone considers it acceptable to let others harm, harass or annoy other users via mods they provide, what makes you sure they won't decide to do the same to their mod users at some point for whatever reason? They could easily decide to "troll" their users with something annoying for entertainment, or just cause a mass ban wave for their mod users just because they got in a bad mood. Moral integrity, while not a rare quality, should be a requirement in a low-trust environment such as the modding scene.
As you might have noticed, VRChat Team doesn't like mods. Have you ever asked yourself why? If you look at most other games with a modding scene, developers are usually welcoming (or at least ignoring) mods as they allow users to enhance or adapt their game with zero effort from developers, increasing enjoyment and longevity. That is indeed the case for wholesome mods for VRChat too - many users are enjoying their new modded features, and given that nobody is harmed, there would be no reason to be so severely opposed to mods.
Unfortunately, the reputation of VRChat modding is severely tarnished by all the malicious mods floating around. "Look, a personal pocket mirror" makes way fewer headlines than "Yet another malicious mod is being used to crash users", and, as such, even a few bad apples are enough to spoil the reputation of modding, even if most users only use completely harmless mods.
This plays into the previous discussion point. Malicious mods are not only bad for their victims, but they are also bad for the modding scene as a whole, and all other mod users, as ban risk for modding is still there.
Which world do you want to live in?
One where every mod user has to fear bans due to modding being unwelcome, and public instances are unusable?
Or one where modding is accepted, carries no risk of punishment, and no trolls are running around publics with their orbiting pickups?
Don't be complacent, take action!
Have you ever seen a random malicious mod have features suspiciously similar to wholesome open-source mods? Or get a new feature right after an open-source mod with that same feature was released?
This is not a coincidence. There were numerous cases of malicious mods stealing code from open-source mods in violation of their licenses. Unfortunately, they often get away with that too, as individual mod makers are not multi-billion-dollar companies that can afford to litigate left and right. Open-source is meant to foster a friendly, open environment conducive to learning, and not to be abused by malicious actors.
On top of that, the quality of those mods is often lackluster - it's not uncommon for malicious mods to break other (unrelated) mods (both intentionally and unintentionally), be exceedingly buggy, break game features, and so on.
Furthermore, malicious mod developers often disregard their users' safety. In their race to be the most malicious one, they often implement unsafe features that can be easily detected by VRChat, which leads to their users quickly and sometimes permanently losing their accounts. On the flip side, while the wholesome side of modding did have a few mass ban incidents early in its history, its user safety history is mostly squeaky clean since the Unity 2018 update of VRChat (April 1st, 2020) - no mass bans, no malware, no mods breaking major game features (aside from mod breakage on game updates, that is).
This is not an issue that will magically solve itself, so you must take action.
For step one, if you're currently using any malicious mods, stop using them, convince your friends to stop using them, and shame other users of malicious mods.
For step two, join the VRChat Modding Group discord. It's a group dedicated to wholesome mods, and it aims to ensure user safety by having all mods manually checked for bad code. Whatever non-malicious features a malicious mod might have, there's a non-malicious, safe mod in the VRCMG.
For step three, spread awareness (but beware that due to modding's bad reputation a lot of places have a "no talking about mods at all" rule). Most mod users are wholesome, but that doesn't help the image of the modding scene as there's always one more asshole to make news.
Malicious mod users should become a shunned minority, using a malicious mod should be a disgrace, and modding, in general, should be seen in a positive or neutral light. Together, we can deny malicious mod makers the support and attention they crave, and make malicious modding a thing of the past.
-
Mods are against TOS, therefore...
- Beat Saber mods are against their TOS too, with the same security concerns and some abuse potential, and yet people happily use them, and the developers don't care.
- NSFW avatars are against the TOS too, regardless of how or where they are used (yes, even private avatars in invite-only instances). People use them regardless.
- Being under 13 years old is against TOS too. Join any quest-compatible public instance and observe the number of kids of questionable ages.
- TOS as written and TOS as enforced are not necessarily the same - some terms might be there for legal reasons, but only token effort is put into actually enforcing them.
-
How can I tell if a mod is malicious?
- The first thing to do would be reading its feature list. Is there anything that can affect other players negatively or can be used to annoy them? For features in the gray area, is any effort put into making them harder to abuse?
- If it doesn't run on official MelonLoader releases, it's probably malicious. As mentioned before, if a mod has something to hide, it's not trustworthy.
- Two things that should raise extra suspicion are "client" in the name or being paid (or having a "premium" or other paid options). While those two don't mean anything on their own, there's a correlation between those two things and the mod doing them being malicious.
- If a mod is not published in the VRCMG, it's mildly suspicious. Some mods can't be published due to Discord's NSFW rules, and some mod makers never bothered to do so. However, a malicious mod will never get through the review process in the VRCMG.
- A random mod on the internet can still be malware, so ideally you'd want an extra assurance from a trusted source that it doesn't do anything bad (or you can check it yourself).
-
I make one of those malicious mods! Why do you hate me?
- I don't hate you, I just wish you were a better person.
- Practically everything written above applies to malicious mod makers even more so than their users.
- You're the reason for the sorry state of VRChat modding and antagonistic developers.
- Do you hate this game? Then just stop playing it. Spend your time on something you like.
- Do you hate random internet strangers? What did they do to you? They deserve better.
- Want to help make modding better for everyone? Remove all even remotely malicious features from your mod, and tell your users about it.
These discord links lead to VRChat Modding Group Discord server #announcements channel.
Please note that these are just examples that were caught once - if something is not listed here, it can still be dangerous.
This (technically opensource) mod was caught filling its users' desktop with hard-to-delete files and closing the game.
Another version (that didn't get archived, unfortunately) also tried to delete the user directory and caused a BSOD.
Discord message link
Web Archive link to commit (it was erased from actual repository history)
This was a random DLL file passed around in DMs to unsuspecting users. It claimed several features, but all it did was printing some text to the console and sending a bunch of sensitive info to its makers.
Additionally, it provided minor remote control capabilities, specifically changing its user's avatar to an attacker-chosen one.
Discord message link
This was a random DLL file passed around in DMs to unsuspecting users with various claims alongside the lines of "amazing safety mod".
In reality, it was a renamed NightClient.
Discord message link
A textbook example of a "client" developer going crazy and stealing auth tokens of their user base for their amusement (and possibly other shady purposes).
Discord message link
Appears to be a renamed KiraiMod (to the point its makers were too lazy to rename the assembly).
Malicious code in question will fill user's desktop with (normal, deletable) copies of mods with GUID names, remove all mods from Mods folder, and appears to try to cause a "modified client detected" ban.
Afterwards, it tries to cause a BSOD and, if that fails, simply terminates VRChat process.
Unfortunately (for this section), none of these were worthy of an announcement. After all, they didn't affect VRCMG mod users, so why bother them with an unnecessary ping, or give any attention to malicious mods?
For what it's worth, practically everyone who complained about mod-caused bans in the VRCMG since Unity 2018 update (April 1st, 2020) was either using malicious mods, or was being very obvious about mod use (i.e. streaming with mods, noclipping in public, and so on).