BluWizard

Hello everyone, BluWizard here.

I'm happy to announce that things are starting to return to normal here at Poiyomi Labs. The malicious actor responsible for the hijacking has been properly dealt with, disposed of, and thrown in the Garbage Compactor.

Wait... what happened?​

In case you have been living under a rock this whole time, a cybersecurity event occurred on Poiyomi's accounts. If you don't know who Poiyomi is... then I am very shocked.

Duh! He's the creator of Poiyomi Shaders for god sake! The one who created the shaders for our Avatars in VRChat that we know and love today!

But, how did this cyber attack happen? Well today, I am going to break down what exactly happened based on the information I've learned and from my research into this incident.

This is going to be a much different subject than what we normally talk about here, so sit down and drink some coffee because this one is a doozy!

The Attack​

On April 13th, 2026, Poiyomi fell victim to a targeted cyber attack that involved a takeover of their Google Account and Discord, among others. During that time, packages were temporarily inaccessible and voluntarily taken down as a security precaution.

To put things simply, Poiyomi, like all of us, are gamers. And just like anyone, we can fall for security exploits that happen without us even noticing. His account got compromised after downloading a modpack for Minecraft from CurseForge.¹ The attacker invited Poiyomi to a Minecraft server over Discord and provided a package to install via CurseForge, which is a known reputable website across the Minecraft community for hosting user-generated modpacks for Minecraft. Not only that, but the attacker used social engineering by digging into their friends list to claim that people they knew were already playing Minecraft in order to draw them in.²

Once the Modpack was successfully installed via CurseForge, chaos ensued.

The hacker gained control of Poiyomi's Google and Discord account via session hijacking. This is known as a "token grab," which is a malicious scripting attack where the login token is stolen from the browser's cookies and sent over the internet. This is a known social engineering attack layered on top of a technical one, where the attacker used a trusted social context to lower the victim's guard before deploying malware.

Once the attackers had access, they quickly snooped over his personal information leading to possible identity theft due to the sheer amount of personal information linked to their Google Account.

Now, you may be asking, "Wouldn't Poiyomi use Multi-Factor Authentication (2FA) everywhere?"

Yes, you would be right. He did have Multi-Factor Authentication enabled. Except that, even if you have Multi-Factor Authentication enabled, your login tokens are still exposed as a cookie!

The Malware Vector​

This is not the first time CurseForge was weaponized this way to attack video gamers. A known variant of this exact incident dates back to Fractureiser in 2023, where several CurseForge and Bukkit accounts were compromised and used to inject malicious code into plugins and mods, which were then adopted by popular modpacks such as Better Minecraft, which amassed over 4.6 million downloads. Notably, many of the impacted modpacks were compromised regardless if the owners had Multi-Factor Authentication or not.³

The malware's purpose was to act as an infostealer — which stole Minecraft and Discord authentication tokens, as well as cookies stored on the web browser.⁴ This is the exact kind of malware Poiyomi fell victim to.

Another instance of this malware vector was the Stargazers Ghost Network which distributed malicious loaders disguised as legitimate Minecraft mods through over 500 GitHub repositories, boosted with fake stars and forks to appear trustworthy. Once installed, the malware captured Minecraft session tokens, Discord and Telegram login tokens, and deployed a .NET-based stealer to exfiltrate browser passwords, VPN logins, and other sensitive information.⁵

These vectors have one thing in common — they use the same Java-based architecture to hide malware inside .jar files that is executed silently alongside the game.

How Session Token Theft Works (and Why Multi-Factor Authentication Can't Stop It)​

When you successfully log in to a web application, the server generates a session token stored as a cookie in your browser. This token tells the server, "I have already proven who I am, so keep me logged in." Unlike credential theft, which targets usernames and passwords, attackers can abuse the token created after authentication — directly bypassing the need to know a password.⁶

Why doesn't MFA help once a token is stolen? Well, that's easy. Multi-Factor Authentication only serves one purpose: Guard the Login. Once the Login is complete and a session token is issued, Multi-Factor Authentication has done it's job. Now that the session is valid, it can remain active for hours or even days by assuming the Web Browser's cookies were never cleared regularly. So when an attacker steals your token, no login event is triggered and no Multi-Factor prompt is triggered because the Multi-Factor Authentication already happened when the original session was created.⁷

All modern Web Browsers store cookies in databases on the user's device. Malware specifically designed to target these databases can silently extract session tokens and transmit them to attackers, which is done through infostealer software. The same infostealer software is often used to "pass-the-cookie" which occurs when attackers hijack a victim's session cookies even when the application is not being used.⁸ Because of how session hijacking bypasses Multi-Factor Authentication and passwords entirely, it is one of the fastest-growing attack vectors across the internet. If you think about how large this can be scaled, it is pretty frightening.

What We Did​

Shortly after the attack occurred on Poiyomi, his Discord account began to act maliciously... changing permissions and removing Moderators since Poiyomi's Discord Account was the Server Owner (which has ALL permissions). The entire team here at Poiyomi Labs worked their very hardest to suppress the malicious actor's actions (which was hard to do because the malicious actor had access to a Server Owner's account).

To further protect ourselves, we began voluntarily shutting down our VCC Repositories, suspended Poiyomi's GitHub accounts, and began recovery efforts as soon as possible. It didn't take long for Poiyomi's Patreon account to get accessed by the malicious actor. Due to Patreon's extremely poor customer service, recovering access to their account was a nightmare. Eventually, Poiyomi regained access after the entire community yelled at Patreon on Twitter/X on the issue.

Funny enough, Patreon decided to discontinue customer support on Twitter/X shortly after this incident became widespread on the platform. Coincidence? I think not!

What followed for an entire week was a tireless effort to recover ourselves from this incident. A lot of misinformation was spread about "malware being added to Poiyomi Shaders," which was never true. Even though files were hosted on VCC Repositories and in our Discord Server, you cannot edit files that were already uploaded. Regardless, we took the Repositories offline just in case.

I, myself (BluWizard) as the sole maintainer of the Poiyomi Documentation, was unaffected. Months ago, Poiyomi granted me management access to Vercel (our hosting provider for the Documentation). When the incident occurred and the PoiyomiDocs repository got taken offline temporarily with Poiyomi's GitHub account, I was able to temporarily change the Git Repo to my fork of PoiyomiDocs so that I could still maintain it. This allowed me and Tony_Lewis to post the same announcement made in the Discord Server on here about the incident and an FAQ. If Poiyomi didn't graciously grant me permissions to maintain our host, the website would have been "frozen" with no way to update information and a lot of unanswered questions. I am forever grateful for Poiyomi's trust in me to maintain the Documentation on his behalf.

Meanwhile on our Discord Server, we were flooded with lots of comments, questions, and complaints during that whole week. It was not easy for us, even for Tony_Lewis.

The Aftermath​

Few hours passed after the attack happened, and eventually it all stopped. The malicious actor attempted to hold their account at ransom, but it reached a point where that was not possible thanks to the sheer amount of security measures we had in place. In the end, all parties involved reached a dead-end. Nobody, not even the attacker, could go any further. This whole game of chess resulted in a stalemate.

The whole situation wasn't over yet, however. Poiyomi was MIA as he was still working tirelessly to fully recover from the cyber attack. Identity theft reports were filed and many emails were sent.

As Poiyomi started to slowly bring his accounts online after fully regaining access, their GitHub Repositories started to come back online. It was time to rejoice! Although, many people argued that they didn't wanna risk being attacked either. Even so, we analyzed all the files once back online and we found NO changes made on GitHub. The files are still 100% safe to use, which was a huge relief.

The most important thing to express here is that this attack was caught on very early. If this went on for much longer without catching it early on, this situation could have been far more worse than we could have imagined.

What Can I Do to Protect Myself?​

The strongest defense these days is yourself. Yes, it's not the greatest answer I can give, but you can have the strongest defense against cyber attacks if you know exactly what to do. Here are some advice I can personally share on how to best protect your account:

• USE FIDO2-based Security Passkeys that cryptographically bind authentication to specific devices and websites.
  • I personally utilize FIDO2-based YubiKeys on my accounts, which are USB devices that cryptographically authenticates your login during Multi-Factor Authentication.
• USE Device Bound Session Credentials (DBSC) if available.
  • Google's Device Bound Session Credentials (DBSC), available in Chrome v146 and newer, binds authentication sessions to a specific device using the Trusted Platform Module (TPM) on Windows. This means if the token was stolen, it is useless on other computers because of your TPM module. In fact, this is one reason why TPM 2.0 is a requirement for Windows 11.⁹
• HAVE shorter session lifetimes to reduce the value of a stolen token.
  • A session that expires after 15 minutes of inactivity is far less useful to an attacker than one valid for several days.
  • If you want to be extra vigilant, configure your Web Browser to automatically clear your Cookies on a scheduled cadence.
• AUDIT your active browser sessions on Google, Discord, GitHub, etc., and revoke anything you don't recognize.
• KEEP your preferred Antivirus Software active and up-to-date.
  • Let's face it, Windows Defender cannot be the last line of defense. While Windows Defender detects some token stealers, Bitdefender and Malwarebytes have broader coverage of detecting them. Regardless, YOU are the last line of defense against any attack!
• DO NOT install software from unverified sources, even if they seem trusted! Think twice, analyze, and research before installing legitimate software.
  • This obviously includes modpacks, as described in this post. .jar files can be contaminated with malware if you're not careful!
• IF a friend DMs you (most often randomly) about anything, watch the conversation pattern. If it feels off or unusual from what you are acquainted with, raise a red flag, ask a personal question that your friend would only know about you, and exercise caution.
  • Sometimes when I receive a random DM from a friend with unusual messaging patterns and they insist me to do something, I like to rage-bait them to the point where they would just give up. The results can be hilarious.
• SETUP a SIM PIN to protect yourself from a "sim swap" attack. A "sim swap" is what happens when an attacker tricks your carrier to change your SIM card registration remotely without requiring them to physically change your SIM card.¹⁰
  • Falling victim to a sim swap attack is even more horrific than a login token being stolen because an attacker can use your Phone Number to login to your accounts without your knowledge. Scary!
  • Both iPhone and Android users can set up a SIM PIN in your phone's Carrier Settings. You would need to first enter the default PIN (provided by your carrier). Then, change it to a PIN that you will remember. That's it!

Conclusion​

To be frankly honest, cybersecurity is extremely important in this day and age. With AI booming with popularity and big media prioritizing fear-mongering propaganda, it is vital that you carefully guard your online accounts with a sense of urgency on a daily basis. You never know when everything you care about online goes away in a blink of an eye.

Thank you for reading and please stay safe out there!

Footnotes​

1. Poiyomi Hacked? VRChat users warned not to download or update shaders ↩

2. Poiyomi Shaders Compromised in Targeted Minecraft Social Engineering Attack ↩

3. New Fractureiser malware used CurseForge Minecraft mods to infect Windows, Linux ↩

4. Infected Minecraft Mods Lead to Multi-Stage, Multi-Platform Infostealer Malware ↩

5. Minecraft Mods used to Spread Malware ↩

6. Session Hijacking: How Attackers Bypass Your Defenses ↩

7. Session Cookie Theft: You Showed Your ID at the Door. But Someone Else Has Your Room Key ↩

8. Session Hijacking vs Stolen Cookies: Real-World Attack Scenarios & Detection ↩

9. What Is a Trusted Platform Module (TPM)? ↩

10. Hijacked by a Text: Understanding and Preventing SIM Swapping Attacks ↩

Hi, BluWizard here! As the maintainer of the Poiyomi Shaders Documentation, I would like to share some changes being made to the Documentation in preparation for 10.0.

As some of your Patreon subscribers already know, Poiyomi Pro 10.0 is now available and is ready for open testing. Before 10.0 can be released to the public as Poiyomi Toon (Free), some changes must be made to this website so that the transition is seamless and that information stays relevant and up-to-date.

This also includes a full transition from being able to download Poiyomi Pro into our brand new system used on pro.poiyomi.com , which is far more reliable than Discord for various technical reasons. That being said, all future downloads of Poiyomi Pro will be handled from that sub-domain moving forward.

Now, let's get into the most important changes...

Docs Versioning​

As of recent updates, we have implemented the usage of the Docusaurus Versioning CLI to create versions of each page in the documentation that shows context based on the version selected. It appears as a version dropdown on the Header, which looks like this:

Figure 1: Version Dropdown

When you hover your mouse over it, you will see some version numbers. By default, the latest version will be what has been set as the default in our configuration. If you select an older version (such as 9.3), the context of the documentation page you are viewing will significantly change.

This means that if you happen to be using an older version, you can now use this dropdown to view accurate information on what you're looking for. Because of how 10.0 has a gigantic amount of changes across the shader overall, this will be how we will control our context for future versions. By default, the "latest" will be shown (which is 10.0). If you happen to be viewing context with an older version selected, a yellow-colored banner will appear as a gentle reminder.

If a new version becomes available, we will run a CLI command that basically "archives" a copy of all pages into a special "versioned_docs" directory. So if and when 10.1 releases in the distant future, we will run a command that makes all current (10.0) documentation be archived as a previous version, thus making any new edits be seen as 10.1 (latest version) and the Version Dropdown gets updated.

As a result, this allows our visitors to always find relevant information for the version of the shader they are using. Now while it could make it difficult for contributors to help improve our documentation, we barely get any changes to older versions. So there is less of a reason to edit or update older pages for older shader versions unless deemed absolutely necessary.

You can view more technical details of how this system works here .

Download & Install Instructions​

As some people may have already noticed, our Download & Install instructions have been overhauled as requested by Poiyomi.

To start, Poiyomi Toon (the public Free version) now recommends ALCOM / Creator Companion as our recommended installation method. This is because we find this method to be far more manageable and easier for the majority of our users, as the package is coded to automatically remove conflicting Poiyomi Shaders versions (if any are detected) before it is installed in the project. It also now contains scripts that hardens the process to ensure edgy avatar creators who like to include a copy of Poiyomi Shaders with their Avatar packages to never have their conflicting copy imported in the first place (essentially removing the _PoiyomiShaders folder from the import dialogue). A Debug message will throw in the console when this happens, so you'll know. If you are reading this and are one of those avatar creators still doing this practice, please stop doing that!

Secondly, for our Poiyomi Pro users, all Poiyomi Pro Unity Packages starting with 10.0 will now be posted on pro.poiyomi.com from now on. We will be deprecating posting our Unity Packages from our Discord server moving forward, as Discord's inability to maintain the platform's security and Patreon's inability to make the Discord Bot reliable makes using Discord for Patreon Authentication a very difficult process for everyone. Thus, authenticating from our new pro.poiyomi.com website has proven to me much more reliable and has faster authentication timing from Patreon in comparison, so we highly recommend you bookmark that website.

Please take a read through our updated Download & Install instructions to see all the options now available to you.

Docusaurus Upgrades​

We are transitioning our framework to prepare for breaking changes that will be introduced in Docusaurus v4.0, which is due out sometime this year. This major upgrade will introduce optimized build infrastructure, including Rspack, SWC, LightningCSS, optimized storage, and stricter guidelines on writing.

MDX guidelines will become more stricter with the syntax without having to rely on proprietary Docusaurus syntax on top of MDX. Since the ecosystem is widely moving to MDX v3, we have transitioned all pages to the .mdx file extension so that this website is future-proofed against it. The upside of this is that this will allow our documentation to be more portable with external tools like Prettier, ESLint, TypeScript, VSCode, and GitHub to better understand the format. This greatly improves compatibility with the Unified ecosystem and the MDX Playground.

Alongside all these changes, Admonitions, Comments, and Heading IDs are getting an upgrade which will be noted in the CONTRIBUTING document for our contributors to read over.

With that being said, if you are reading this and are maintaining your own Docusaurus website (I know VRChat uses it for their Creators Docs), I highly recommend you read the full blog post here on Docusaurus v3.10 release, which details how to prepare your website for Docusaurus v4.0.

Conclusion​

There is a lot more work to be done as Poiyomi 10.0 is continuously being worked on each day to ensure it is fully stable when the big day comes (the full release of the 10.0 Free version, that is). I am continuously editing, updating, and proofreading everything that I learn from each new update. If you find some information that is either inaccurate, conflicting, or find tomfoolery of any kind, please don't hesitate to reach out by opening an Issue on our Docs Repository as this helps me stay organized on what needs to be done.

Heya, BluWizard here! Just wanna hop in to give you some info on Poiyomi 9.2, a major update to the shader that has just released!

While most of the features haven't changed, this update has introduced native support for VRC Light Volumes, an excellent voxel-based Light Probes replacement for VRChat Worlds. Alongside that, are various amount of bug fixes and improvements! See the Changelog Blog for all the details.

VRC Light Volumes​

What's so special about VRC Light Volumes is that it allows for more natural lighting to show on your Avatar, making for stellar appearances in photos. Here are just two examples of what this can look like on Sacred's Avatar...

Notice that in these images above, the light tubes are able to emit very evenly across the Body. Compared to before, it was only able to be an approximate.

Here's a comparison on DrBlackRat's Avatar. Pay attention to the differences between Poiyomi 9.2 (latest) vs. Poiyomi 9.1 (older version)...

As you can see, the results can be very obvious! The Material appears more evenly illuminated from the environment compared to previously.

Since VRC Light Volumes was created since earlier this year, you should begin to notice more and more Worlds adopt this system. Adding support for VRC Light Probes can make the shader future-proof to newer Worlds that plan to take advantage of this new lighting system.

The best part of all this? You don't have to do anything to your Materials! It's automatically enabled by default. All you need to do is make sure to update to the latest version of Poiyomi Shaders and just simply set your Materials to use the latest version.

Vertex Options Reorganized​

Let's quickly talk about another significant change introduced in 9.2. Those who have used Vertex Options, Vertex Glitching, and Vertex Colors should read this!

In the latest version, you may have noticed that those sections have gone missing from the Color & Normals category. This is intentional! We have reorganized them into a brand new category in the shader UI, under Vertex Options. It is located in-between AudioLink and Global Modifiers & Data section.

Underneath this area, we have renamed those sections into simply, Basics & Fun, Glitching, and Vertex Colors respectfully. If you have used these features under the old names before, don't worry! All your existing configurations should transition over seamlessly when updating your Materials.

Why did we do this? Well, this is to make way for another upcoming vertex-based feature called LookAt, which is right now being tested in the Pro version of the shader. We'll talk about that sometime in the future.

Conclusion​

We hope you enjoy these new improvements to Poiyomi Shaders! As always, feel free to shoot us a message in our Discord Server for any questions or comments. Also if you have any pictures of your Avatars using the newest version, we invite you to share them there in our #showcase and #in-game-pics channels!

Click here to see the Patch Notes

Greetings! My name is BluWizard. I've been one of the recent active contributors to the Poiyomi Shaders Documentation, bringing everything up-to-date with 9.0 and finishing up some areas that needed attention.

I would like to talk about some of the major updates that I'm bringing to the Documentation. These overhauls will help bring it more in line with our goals with the Poiyomi Shaders Documentation, as well as bring it more in-line with how similar Documentations organize their pages and helpful resources. We hope these updates will encourage more frequent usage of the Documentation, rather than just trying to search Discord for an answer.

Let's start of with the big one... A brand new Home Page!​

Instead of providing just completion status, I made the Home Page look more presentable and professional. Not only it introduces what known features you can do with the Shader, but has two new Buttons that will redirect you where to Download & Install the shader, as well as a link to Join the Discord Server.

I have appended some of the relevant information back to the Introduction page, which will now act as the Docs Hub. It talks about how to navigate the Documentation, as well as our Completion Status. As for links to Download the Shader, it has been moved into an entirely dedicated page.

Speaking of, let's talk about the new Download & Install page!​

This is going to be your new one-stop shop to learn how to Download, Install, and Update Poiyomi Shaders. Since we both maintain a classic Manual Unity Package version and a VCC Version, we now detail instructions on how to use either one. We list both Method 1. and Method 2. as the instructions.

We prefer that the users choose which method they wish to use when downloading and installing the Shader. While Method 1. Manual Unity Package is preferred, a growing number of users may have a better experience using Method 2. Creator Companion to install the Shader due to it's ease-of-use.

Regardless, whichever method you use is up to you, but keep in mind that the latest version of the Shader will always be available first via Discord before it's distributed on both GitHub, BOOTH, and in the VCC Repo. If you are a Poiyomi Pro user, they will exclusively be available via Discord as always. This is also mentioned on the page.

There are even more changes, down to the small details. Let's break down all the notable visual changes:​

• Overhauled the Home Page.
  • A more professional, presentable Home Page that gets right to the point and contains relevant information.
  • Added a new Logo.
  • Added Buttons that redirect to Download & Install and as the Discord Server.
• Added Download & Install Page.
  • Two Methods with Instructions on how to install Poiyomi Shaders, either as a Unity Package or through the Creator Companion.
  • Download Links.
  • Info on the Pro Shader.
• Improved SEO on various pages.
  • I have given many pages more descriptions and keywords for SEO (Search Engine Optimization), so that the Documentation and the website as a whole can appear clearly on Search Engines.
• Fixed a lot of Image and Video Sizing to be more consistent.
  • For a while, this Documentation was not very mobile-friendly. I've implemented some changes to React JS that makes the embedded videos have more responsive width, regardless of display size. This eliminates an issue where the embedded videos would extend far beyond the width constrains on a Mobile Web Browser. By default, all Images and Videos will now be automatically responsive based on your browser's width, with some exceptions on certain Documentation entries.
• Upgraded Docusaurus to v3.3.2.
  • Docusaurus v3.3.2 introduces major improvements, bug fixes, and new features for us to use in the near future.
  • React, MDX, and Node.js have been updated as a result of the Docusaurus v3 Upgrade.
  • The Light and Dark Theme will now automatically match the user's client by default.
• Removed irrelevant information and old pages in favor of the new Download & Install page.
  • The Poiyomi VCC Repo Page is no longer necessary, as I've implemented a button in the Download & Install page for the VCC Version that directly opens the Creator Companion App, adding the Repository.
  • Redirects added to the website configuration to handle old links.

Conclusion​

We are continuously working on improving the Documentation with as much information as possible in an easy-to-understand fashion. If you have any feedback, feel free to drop us a line in the Discord Server. Other than that, we hope you enjoy these new updates!