Malware hidden in Minecraft plugins is a real problem. Before you install a plugin on your server, search this public registry to confirm who actually published it — every entry ties a Spigot, Modrinth, or CurseForge plugin to a verified VerifyUGC developer and their Trust Score.
Publish a plugin? Register it here so server operators can verify it’s really yours — and so re-uploads and impersonators have a public, dated record to contend with. Verified plugins also build your developer Trust Score.
Register a plugin →The most common way servers get compromised is by installing a plugin from an unofficial re-upload — a copy of a popular plugin with malware (a backdoor, a token logger, or a crypto-miner) bolted on. The plugin code itself looks fine; the danger is that you downloaded it from the wrong place, published by someone pretending to be the real developer.
This registry attacks that problem from the identity angle. Search the plugin name or the developer’s handle to see whether the plugin is registered to a verified developer, what their VerifyUGC Trust Score is, and which platform (Spigot, Modrinth, or CurseForge) the official listing lives on. A verified developer with a strong, long-standing Trust Score is far safer than an anonymous mirror.
Each registry entry shows the developer’s @handle and 0–250 Trust Score, the platform the plugin is published on, the registered version, and the date the claim was filed. Click through to a developer’s profile to see their linked accounts, reviews, and history.
Identity verification doesn’t scan code — it confirms provenance. Use the registry to make sure a plugin comes from the real developer, then download only from the official listing the entry links to, and run untrusted JARs through a scanner before deploying them to a production server.