• Rentlar@lemmy.ca
    link
    fedilink
    arrow-up
    14
    ·
    1 year ago

    The app affected is the prepackaged version of the Downfall Mod with Slay the Spire, not the Steam Workshop version, apparently. (I have the Downfall mod but didn’t know the pre-packaged version was a thing!)

    “The breach window was roughly 1:30 PM-2:30 PM Eastern (1830-1930 UTC+0) on 12/25. If you did launch Downfall on 12/25 during the breach window and got a Unity library installer popup, please continue to read. You may be also at risk. The security breach allowed a malicious upload to replace the Downfall packaged game,” Mayhem said in a statement published on Wednesday.

    • FlumPHP@programming.dev
      link
      fedilink
      arrow-up
      12
      ·
      1 year ago

      Make sure you check the statement. You’d have to have launched the mod in a specific way during a specific time window

  • gibmiser@lemmy.world
    link
    fedilink
    arrow-up
    8
    arrow-down
    4
    ·
    1 year ago

    Man I have been clear of any real issues for a long time, this one has my anxiety spiking as someone who installed a lot of steam games…

  • Nik282000@lemmy.ca
    link
    fedilink
    arrow-up
    4
    arrow-down
    4
    ·
    1 year ago

    I love Steam and wouldn’t lay the blame for this on them but this is why you need to use trusted software sources and isolate machines that use less trustable software.

    • null@slrpnk.net
      link
      fedilink
      arrow-up
      11
      arrow-down
      1
      ·
      1 year ago

      Steam was not even involved. This didn’t affect the Steam version.

      • Nik282000@lemmy.ca
        link
        fedilink
        arrow-up
        4
        arrow-down
        1
        ·
        1 year ago

        Downfall, a fan expansion for the popular Slay the Spire indie strategy game, was breached on Christmas Day to push Epsilon information stealer malware using the Steam update system.

        The publisher got pwnd and the malware got pushed out over Steam. No different from someone publishing a malicious game directly.