The Indie Stone, the creative force behind the beloved zombie survival game Project Zomboid, has taken decisive action in response to a series of troubling mods that were found to be generating malicious files outside the game’s designated directory. These mods, which were associated with the popular ‘True Moozic’ soundtrack expander, were not linked to its original creator and have since been removed from the Steam Workshop. The developer has also banned the individual responsible for these harmful uploads, urging players who may have downloaded the affected mods to take precautionary measures.
Addressing Security Concerns
For many players, mods have been an integral part of enhancing their Project Zomboid experience, especially following the recent overhaul with Build 42. The game offers a plethora of customization options, from increasing the number of vehicles to introducing complex plumbing systems or even creating unique bandit characters. Among these enhancements is True Moozic, which allows players to incorporate custom soundtracks into their gameplay.
However, The Indie Stone recently received multiple reports from users regarding a mod that allegedly executed malicious code. Upon immediate investigation, the developer discovered heavily obfuscated code within the mod, confirming that it was indeed creating harmful files outside the intended game directory. Further scrutiny revealed a total of 14 mods from the same user, with estimated installations ranging from 500 to 2,200 devices.
While the offending user has been banned and the malicious mods removed, The Indie Stone cautions players that the full extent of the damage caused by these files remains undetermined. They strongly recommend that anyone who downloaded these mods take comprehensive security measures, as simply uninstalling them may not suffice.
Clarifying the Situation
The problematic mods included soundtracks from various popular games such as Risk of Rain, Persona 5, Nier: Automata, Roblox, and Minecraft. The Indie Stone has clarified that the exploit was limited to Build 42 branches and emphasized that the malicious uploads were neither part of the True Moozic mod nor created by its author. Instead, these were unauthorized add-ons that did not utilize the True Moozic framework in any way.
In light of these events, The Indie Stone has also released a security update for Build 41, addressing a separate vulnerability identified during an internal audit. Fortunately, the developer has found no evidence that this vulnerability has been exploited. To further safeguard against potential risks, The Indie Stone has updated its ‘outdated unstable’ branch to align with the ‘unstable’ branch, ensuring that the outdated version will continue to lag one content update behind for the foreseeable future.
