tl;dr

whoever sees a certain player in multiplayer, will download a shell script onto his pc. but it wont run without actualy executing it.

What is it?

it is possible to upload a minecraft skin that has Hypertext Application Language code in it, without it getting filtered from the skin upload page. as soon as a player sees the player with the modified skin in multiplayer, it will be downloaded in his skin cache. this cache will contain the uploaded code. if the user runs this as a .hta file, the code will be loaded and will execute shell commands such as batch code that can contain malware.

How to reproduce?

i have uploaded the skin to my account with some example code. you can find it by the username "VirtualPhilipp" or "fb2667bf-ae2c-48b2-962a-fd0a73c5f3ec". download it either trough the official minecraft skin servers, or by seeing me in multiplayer and look in it with notepad++ or something like that. you can also run it as a .hta file after looking at the code, just rename it to skinfilename.hta
(open the skin file at .minecraft/assets/skin/<skinfolder>/ in notepad to see the hypertext application code at the bottom)

How to get the code to my Skin?

to apply code to your skin, download yours and open it via notepad++ and add Hypertext Application Language at the bottom of the data. when finished, hit save and upload the skin to minecraft.

Example Code

<html>
<head>
<script language="VBScript">
	Sub test
		Set objshell = CreateObject("Wscript.Shell")
		objshell.Run "cmd /K @echo some CMD stuff here like & calc.exe & cd C:\ & md testfolder"
	End Sub
</script>
</head>
<body onload="test">
</body>
</html>

(Place it at the bottomt of the Skin file)