Curseforge is the biggest platform for downloading Minecraft mods, and Bukkit is a software for hosting Minecraft servers.
Overview from the article: "A number of Curseforge and dev.bukkit.org (not the Bukkit software itself) accounts were compromised, and malicious software was injected into copies of many popular plugins and mods. Some of these malicious copies have been injected into popular modpacks including Better Minecraft. There are reports of malicious plugin/mod JARs as early as mid-April."
client.jar searches the entire filesystem for files that look like mod JARs, and infects them with Stage0. This includes entire Gradle and Maven caches, as well as tons of things mod devs would likely never think to check. The potential scale and scope of this infection has gone from “a couple weird mods” to potentially infinite.
Overview from the article: "A number of Curseforge and dev.bukkit.org (not the Bukkit software itself) accounts were compromised, and malicious software was injected into copies of many popular plugins and mods. Some of these malicious copies have been injected into popular modpacks including Better Minecraft. There are reports of malicious plugin/mod JARs as early as mid-April."