(Update) New malicious code causes certain Minecraft players to be at risk of malware
Minecraft players might find themselves at risk for a malware that's spreading. According to Avast, 50,000 accounts have fallen victim to a malicious code which infects your computer and reformats users' hard drives. Supposedly, this malware isn't complex at all, but the issue is that people were able to upload this virus via Minecraft skins, and onto the official Minecraft site, where many people go to in order to download skins for their characters. With a 75 million playerbase, there's a multitude of users that could be potentially affected, although only younger users are more likely to download skins, therefore leaving them the most susceptible to downloading the malware. There's a handful of specific skins, such as the ones above, that have the malware script attached, but it would be the safer option to not download any skins at this time. Claims are being made that if an affected user joins a host that you're on, it can also affect you as well and put you at risk, though this is unverified.
Affected users that wound up downloading an infected skin began receiving unusual messages in their inbox on the Mojang site, such as,
“You Are Nailed, Buy A New Computer This Is A Piece Of Sh*t”
“You have maxed your internet usage for a lifetime”
“Your a** got glued”
There's also a variant that can affect "tourstart.exe" on your computer, which causes massive performance issues to your PC, especially on startup. Avast claims that they've protected over 15,000 threats by removing the harmful software, or preventing it from downloading. At the time of writing, the issue has not been resolved, but Mojang is currently working to address this problem.
Source
Edit: The Minecraft official Site has responded to the problem and have fixed this issue.
This is now resolved, but we wanted to explain what happened and the measures we’ve put in place to protect our community.
Any Minecraft: Java Edition player can upload their own custom skin in the widely-used PNG file format to our webservice at minecraft.net and this will then appear on their character in-game. PNG files can contain things other than an image, such as metadata, which includes information on what tool created it, when it was made, who made it, etc. This meant that PNG files could be created containing code in this inert part of the skin file. However, this code would not be run or read by the game itself.
While your antivirus software might detect this code and alert you to its presence, the code would not be able to run by itself. Additionally, even if you found the code within the file and chose to run it, your antivirus software should detect and block the attempt.
To further protect our players, however, we deployed an update that strips out all the information from uploaded skin files other than the actual image data itself.
Supposedly, the claims by Avast were false, and that code hidden in the skins couldn't actually be executed, according to Minecraft developers. Regardless, any potential for such a problem to occur with the Java version has been fixed.