Popular Slay The Spire mod Downfall was hijacked to spread malware through Steam

Slay The Spire mod Downfall suffered a “security breach” on Christmas day which allowed hackers to distribute malware through Steam, the developers of the mod say. The malware attempts to steal users’ passwords from their internet browser, as well as passwords for messaging services Telegram and Discord.

Affected users would have seen a “Unity library installer popup” upon launching Downfall during the hijack. The hack was reversed as of around 1:40pm ET (6:40pm GMT) on December 25th, according to the announcement.

“Most Antiviruses seem to have not stopped the malware specifically from executing, but do stop its payload from being sent across the internet. This means you aren’t automatically damaged by the attack,” say the developers.

“The payload it tries to scrape and generate involves passwords, specifically from your browsers, Discord, and a few other applications: Windows local login, Google Chrome, Yandex, Microsoft Edge, Mozilla Firefox, Brave, Vivaldi, Telegram, Discord, and files that might contain the word ‘password’ (if ‘password’ is in the filename).”

Users have reported files created by the malware appearing in different locations on their hard drives, some of which are included in the announcement. The developers recommend only investigating suspicious files while disconnected from the internet. Those who saw the Unity popup should also change “important passwords, particularly ones that are not set up for 2FA (2-factor authentification).”

Downfall is a huge, popular Slay The Spire mod that adds new playable characters, a new mode, and more. Its developers have since started work on Tales & Tactics, a standalone auto-battling Chess roguelike.