"Downfall" from the popular mod "Slay the Spire" received unauthorized access during the Christmas vacations and was used to push malware to users via Steam updates. The malware in question is called Epsilon and is used to steal information from infected hardware.

The attacker compromised the mod developer's Steam and Discord accounts to gain access to the mod's Steam account; the Epsilon malware is frequently used on Discord, often packaged with the game executable and and, once installed, runs in the background harvesting hardware cookies, passwords and credit card information stored on the device, or information stored by the browser (everything from Google Chrome to Vivaldi).

"On Christmas Day, at approximately 12:30 PM Eastern time, we experienced a security breach," wrote developer Michael Mayhem. At approximately 1:20 p.m., the breach caused malicious uploads to take over our games in the Steam library for approximately an hour. Our Steam and Discord accounts were hijacked, and while we were able to recover our Steam account later in the evening, we had limited warning and communication immediately following the breach. Fortunately, we were able to contain the actual breach much faster than the time it took to recover our accounts."

The breach was contained by about 2:30 p.m. Eastern time, and only users who launched Downfall within that time frame were affected (there is a complete list of who needs to worry and who does not with the Steam update). The main concern is for users who saw the Unity library installer pop-up

"In your users/[username]/AppData/Local/Temp folder, there are several files that the trojan creates." One is called epsilon-[username].zip and contains everything the Trojan stole: Discord info, autocomplete, stored passwords, network info, cookies, stored credit cards, steam info. Warning: If you choose to investigate these files yourself, do so without an Internet connection.

According to Mayhem, security experts who investigated the breach believe that it is a so-called "token hijacking" or session hijacking and that the damage is minimal, but they told BleepingComputer that they "do not want to state with absolute certainty what However, he added to BleepingComputer, "I would like to refrain from stating anything with absolute certainty.

The mod's developers have removed all affected hardware, communicated with users and Valve about the breach, and are implementing additional security to prevent this from happening again.

"I can't apologize enough to the affected users," Mayhem said. 'The idea that someone would hijack a free passion project for malicious intent is truly despicable. Any users who have been affected should contact me. Downfall would not be what it is without the players and the joy that surrounds them, and I am appalled by this attack."

This follows shortly after Valve announced new security checks for Steam developers pushing updates to the default release branch of their games, following various instances of malicious builds being pushed to players via Steam At the time, Valve told PC Gamer that this "extra friction" for its partners was "a necessary trade-off to keep Steam users safe and developers aware of potential breaches to their accounts," and that it had seen an "increase in sophisticated attacks" targeting developer accounts He added that.

Downfall users are encouraged to change their passwords and ensure that two-factor authentication is enabled whenever possible.