The developer of the popular user-made expansion Downfall for Slay the Spire announced that on Christmas day they suffered a security breach.
According to the announcement, the developers’ Steam and Discord accounts have been hijacked, and while the breach has been contained relatively quickly, it had consequences.
Malicious actors managed to deploy their own malware on the PCs of some affected Slay the Spire users who played Downfall yesterday.
Here’s a list of cases that may help you find out if you’re affected:
- If you did not launch Downfall yesterday, you’re clear.
- If you got an automatic update for Downfall yesterday but did NOT launch, you’re clear.
- If you launched Downfall via the Steam Workshop (meaning you actually launched Slay the Spire), you’re clear.
- If you did launch Downfall yesterday and succeeded and everything looked normal, you’re clear.
- If you did launch Downfall yesterday and saw a command-prompt like screen, that starting spitting out a bunch of text, you’re in the clear. That was actually just the Java log which we usually keep hidden, but accidentally left visible when we restored the game.
- If you did launch Downfall yesterday and got a ‘no .exe found’ type of error, you’re clear. That was us exploding the game to prevent anyone else from being affected.
- f you did launch Downfall yesterday and got a Unity library installer popup, please continue to read. You may be also at risk.
If you are affected, but had an antivirus software active, it may not have managed to stop the malware from executing but may have managed to block it from sending the data it stole.
Specifically, the payload attempted to scrape passwords from browsers, Discord, and a few other applications: Windows local login, Google Chrome, Yandex, Microsoft Edge, Mozilla Firefox, Brave, Vivaldi, Telegram, Discord, and files that might contain the word ‘password’ (if ‘password’ is in the filename).
Those who saw the Unity popup are encouraged to change important passwords, especially if not protected by two-factor authentication. A wipe of the drives affected is also something the developers advise for those who want peace of mind. More information on the behavior of the malware can be found in the official announcement.
The creator of the mod Michael Mayhem apologized to those affected and mentioned that now Downfall is safe to download and play again.
Slay the Spire is a roguelike deck-building game available for PC, Switch, iOS, Android, PS4, and Xbox One, albeit, of course, only the PC version is affected by today’s news.
If you’d like to learn more about the game, you can read our review, which awarded it with a 9.5 out of 10.