Increasing plugin file sizes

Malware usually hides itself within your plugin’s jar files, to make it harder to detect. As all computer code inherently takes up space, you might notice plugin jar files increasing in size when they’re infected.

Increased resource usage

Some forms of malware do malicious tasks, such as crypto mining or logging and reporting activity to a remote server. As these tasks take up server resources, if you’ve suddenly seen an increase in lag or lower tick rates, this might indicate a malware infection. It’s also worth noting though that malware is only one of the many reasons resource usage can increase, with a vast majority just being due to benign player activity on the server. While this can be a sign, it’s not evidence of a malware infection by itself.

Strange errors

There are a large number of strange errors that can show up due to malware infections, usually in other systems not specifically built to find malware that incidentally notices something odd. Paper’s plugin remapping system for example can’t deal with many forms of obfuscation that Minecraft malware typically uses, and can cause errors during the remap process.

Similarly, WorldEdit and WorldGuard contain systems to detect when other plugins incorrectly contain parts of WorldEdit or WorldGuard, as this can cause instability. This system also incidentally triggers with many forms of Minecraft malware. If you’re suddenly getting big errors that a plugin is including parts of WorldEdit or WorldGuard that you didn’t see before, this is a good indicator you have malware.

Another error that might indicate malware are “zip file closed” errors. While these have many possible causes, most harmless, malware is a possibility.

Antivirus Software

Something to note is that while antivirus or antimalware software is generally a good way to detect malware, they are not at all reliable for Minecraft malware. Not only will they almost never detect actual Minecraft malware, they’re also very prone to giving false positives on entirely innocent plugin jar files. While getting a virus alert from this software might be a good indicator to double check you’ve got a legitimate file, the alerts are more often than not a false positive and safe to ignore.

Only use official downloads

The main method to avoid malware is to make sure you only ever access software from official sources. This can be done by making sure the location you’re downloading software from is the actual place that the developers of the software are uploading it to. For example, if a plugin only uploads to Modrinth, a copy uploaded to the Spigot website by someone else would be considered unofficial and a bad idea to use. Reuploads of plugins by unofficial sources can be modified in ways that you wouldn’t expect and are therefore a common vector for malware. One of the most common sources of malware are actually pirated plugin sites that reupload paid plugins for free.

It's also important to ensure you only get your server software from official sources. As Spigot can only be officially obtained from Spigot’s BuildTools system, numerous sites have popped up that offer direct Spigot jar file downloads. As these are all unofficial reuploads, these can possibly be a source of malware. While some sites or reuploads might be safe, this is difficult to verify and it’s better to not take the risk.

A good way to verify official sources is to check whether the plugin or software has an official website, and check where they link to for the downloads. It’s safest to use whatever is linked to by other sources from the developers of software.

Try to avoid unknown plugins, or newly uploaded plugins

Even if you only download from reputable websites, there have been a few cases of malware from these sources in the past. These cases have usually been newly uploaded plugins from non-established developers. If you want to be safe, it’s likely a better idea to use more well-known plugins from more reputable developers, than brand new plugins from new developers.

While a vast majority of new plugin developers are not doing anything malicious, it can be a good idea to wait at least a few weeks or longer before using brand new plugins as malware is usually discovered fairly quickly if present.

Removing malware

The first step to remove malware is to delete every single jar file that it might have access to. This includes plugin jar files, the server software jar file, and potentially all the jar files on other servers on the same machine that it might have had access to. If you’re using Paper there might also be jars in folders such as cache, versions, and the .paper-remapped directory in the plugins folder. Every single jar file you find should be removed, because any of them could contain malware. If you’re not sure whether everything is gone or not, try using search functionality to look for jar files, ideally, you’ll find none.

Once every single jar file has been removed, you should re-download everything you want from official sources, and then start your server. It’s very important to not start your server midway through the process and to ensure that all jar files are removed before downloading new ones, because if any of the files currently on the server contain malware, they can spread it to the newly downloaded jar files.