It's actually worse than the online post here indicates. There was another <script> tag at the bottom of the page that had remained there, seemingly missed after the password theft script had been removed.
Ultimately I think the site's been serving foreign (potentially malicious) JS for about two months with Curse having been aware for probably a month without users being informed. The password theft script was definitely there for at least a month before it was removed. It's great to hear Curse are working on a bug bounty programme but I as I mentioned in IRC it's disappointing to see such a big company respond like this.
Ultimately I think the site's been serving foreign (potentially malicious) JS for about two months with Curse having been aware for probably a month without users being informed. The password theft script was definitely there for at least a month before it was removed. It's great to hear Curse are working on a bug bounty programme but I as I mentioned in IRC it's disappointing to see such a big company respond like this.
There's some more information available from the channel IRC logs: https://korobi.io/network/esper/channel/bukkit/logs/2015/12/...