Finding Malicious Code in a SpigotMC Premium Plugin

As part of my job as resource staff on the SpigotMC forums, I handle resources (plugins) being reported. Most commonly they will be someone "stealing" another resource and simply reposting the same file (and sometimes even the same description) as another existing resource. Sometimes they will even report the original as the impersonation (though obviously their resource was published after theirs). Those resources are removed very quickly and the user warned (and if it continues, banned).

When checking out these reports, most of them require decompiling the plugin jar file to verify it is actually stolen or contains malicious content. You can also sell your plugins on SpigotMC (the limit being around $20 per copy), and there are specific rules for that. Before you can post your premium resource (as they're called) you must have at least 40 posts and 20 positive ratings, as well as a few published resources. This means that only dedicated members of the community can sell their plugin, not just anyone looking for a place to make money. 

Then premium plugins must be approved by staff. The rules also don't allow generic plugins, in order to keep what's being sold as high quality as possible. Notably, KitPvP gamemode plugins are given as an example of what will be denied. KitPvP is a simple game that started several years ago. Players are given kits and drop down into an arena and simply PvP to death, to be respawned and drop down again. It based around kits, starting items with different gameplay types. Unfortunately, they were fairly easy to create as plugins which led to many of the plugins being sold doing the same things, so SpigotMC require resources to be original and innovative. 

Premium resources commonly are bought, then the copy given away on pirating websites. Nearly every remotely popular plugin has been pirated this way, and there isn't much the authors can do about it. In order to prevent authors from selling plugins than later revoking access to it's features, the premium resource rules state that plugins must work without an internet connection (cannot contact the author's servers for validation) nor should any features be able to be remotely disabled. 

One resource, a gamemode type resource, was reported because it had suspicious sounding text in the description that ran something like: "If you violate these terms, do not underestimate the power of Java". I didn't personally handle the report (another staff member got to it before me), but I went ahead and decompiled the plugin anyway out of curiosity. 

It turned out to be full of malicious code, though not intentionally so. First, it wouldn't work unless you had an internet connection (would disable the plugin). But then, it also gave special abilities to players on a contributor list. Remotely, he could also delete every plugin and it's data running on the server (which is the majority of the entire server really). 

What was really strange is that he also created his own ingame GUI which allowed him to kick and ban any player on the server, as well as send back information about the machine the server was running on. The resource was removed.