A popular Slay the Spire mod called Downfall was compromised over the holidays, and used to push malware to s via a Steam update. The malware in question is called Epsilon and is used to steal information from infected hardware, and was present in the standalone version of the mod on Steam for around an hour on Christmas Day.
The attackers compromised one of the mod's developers' Steam and Discord s, allowing access to the mod's Steam . The Epsilon malware is frequently used on Discord, often packaged with a game executable, and once installed runs in the background harvesting the hardware's cookies, and any saved s or credit card information on the device or stored by browsers (everything from Google Chrome to Vivaldi).
"Christmas Day, at roughly 12:30 PM Eastern time, we experienced a security breach," writes developer Michael Mayhem. "At roughly 1:20 PM, that breach allowed a malicious to overtake our game on Steam's library for a period of roughly one hour. Our Steam and Discord s were hijacked, and though the Steam s were able to be recovered late in the evening, we were limited in our ability to warn or communicate immediately following the breach. Fortunately, we were able to contain the actual breach much more quickly than the amount of time it took to recover the s."
The breach was contained by roughly 2:30 pm Eastern Time, and only s who launched Downfall within that window were affected (there is a full list of who does and doesn't need to worry in a Steam update). The main concern is over s who saw a Unity library installer popup
"In your s/[name]/AppData/Local/Temp folder, there will be several files the Trojan creates," one affected writes. "One will be called epsilon-[name].zip, which contains everything the Trojan has stolen: Discord info, autocomplete, saved s, network info, cookies, saved credit cards, steam info. WARNING: If you go investigating these files for yourself, to do so without being connected to the internet, just in case there is still some possibility of retriggering an event."
Mayhem says a security professional who's looked at the breach believes it was a so-called "token hijack" or session hijack, and the damage has been minimal, though added to BleepingComputer that he's "reluctant to state anything with absolute certainty".
The mod's developers have purged all affected hardware on their end, are communicating with s and Valve about the breach, and are putting additional security in place to hopefully prevent something like this happening again.
"I can't apologize enough to the affected s," says Mayhem. "The thought that someone would hijack a free ion project for malicious intent is truly vile. If you are an affected , please me and I will do everything I can to help. Downfall is nothing without its players and the joy surrounding it and I am appalled at the attack."
This follows shortly after Valve announced new security checks on Steam developers pushing any update on their game's default release branch, after various examples of malicious builds being pushed to players via Steam. At the time Valve told PC Gamer that this "extra friction" for partners is a "necessary tradeoff for keeping Steam s safe and developers aware of any potential compromise to their ", adding that it has seen "an uptick in sophisticated attacks" targeting dev s.
Any s of Downfall are advised to change their s, and make sure two-factor authentication is enabled wherever possible.
