Security reports from platforms like ANY.RUN explicitly label version 4.4.2 of the MCLeaks Authenticator as Malicious Activity .

(located in C:\Windows\System32\drivers\etc on Windows) and removing any lines containing "mojang".

The software proxies the Mojang login request, often using stolen or compromised account details collected from other users.