Update: the post has been updated to better identify the time window in which the breach occurred. The game has also been updated with fresh a depot by the developers on 12/27, so if you see an automatic update after that date, you don't need to be alarmed.
The original article can be found below.
The developer of the popular user-made expansion Downfall for Slay the Spire announced that on Christmas day they suffered a security breach.
According to the announcement, the developers' Steam and Discord accounts have been hijacked, and while the breach has been contained relatively quickly, it had consequences.
Malicious actors managed to deploy their own malware on the PCs of some affected Slay the Spire users who played Downfall yesterday.
The specific time window during which the breach occurred is 1:30 PM-2:30 PM Eastern (1830-1930 UTC+0) on 12/25.
Here's a list of cases that may help you find out if you're affected:
- If you did not launch Downfall on 12/25, you're clear.
- If you got an automatic update for Downfall on 12/25 but did NOT launch, you're clear.
- If you launched Downfall via the Steam Workshop (meaning you actually launched Slay the Spire), you're clear.
- If you did launch Downfall on 12/25 and succeeded and everything looked normal, you're clear.
- If you did launch Downfall on 12/25 and saw a command-prompt like screen, that starting spitting out a bunch of text, you're in the clear. That was actually just the Java log which we usually keep hidden, but accidentally left visible when we restored the game.
- If you did launch Downfall on 12/25 and got a 'no .exe found' type of error, you're clear. That was us exploding the game to prevent anyone else from being affected.
- f you did launch Downfall on 12/25 and got a Unity library installer popup, please continue to read. You may be also at risk.
If you are affected, but had an antivirus software active, it may not have managed to stop the malware from executing but may have managed to block it from sending the data it stole.
Specifically, the payload attempted to scrape passwords from browsers, Discord, and a few other applications: Windows local login, Google Chrome, Yandex, Microsoft Edge, Mozilla Firefox, Brave, Vivaldi, Telegram, Discord, and files that might contain the word 'password' (if 'password' is in the filename).
Those who saw the Unity popup are encouraged to change important passwords, especially if not protected by two-factor authentication. A wipe of the drives affected is also something the developers advise for those who want peace of mind. More information on the behavior of the malware can be found in the official announcement.
The creator of the mod Michael Mayhem apologized to those affected and mentioned that now Downfall is safe to download and play again.
Slay the Spire is a roguelike deck-building game available for PC, Switch, iOS, Android, PS4, and Xbox One, albeit, of course, only the PC version is affected by today's news.
If you'd like to learn more about the game, you can read our review, which awarded it with a 9.5 out of 10.
