Steam game People Playground hit by malware via the Steam Workshop

Oh dear. People Playground from mestiez / Studio Minus recently had a major problem with malware pretending to be a mod in the Steam Workshop.

I would say this is a reminder to be careful on what you're downloading - but these types of things are quite difficult for normal users to spot until it's too late. For many it was too late, since this wiped away various things. On Windows at least, it's not clear if it affected Linux (with the game run via Proton).

In PSA posted on Steam the developer said on February 1st they disabled the Steam Workshop, and a few days later released a security update to prevent the issue in future and as of February 6th they have enabled the Steam Workshop once again.

The developer has a forum post on Steam that goes over various details of what the malware did, here's an excerpt from it:

to put it simply: a mod was uploaded "FPS++" which turned out to be a worm malware.

here is a list of EVERYTHING the mod does (since people were asking to read the code themselves, which i will not share myself as its a security risk.) once the game is launched with the mod enabled:

1. silently votes and favorites the mod (FPS++)
2. scans every workshop item you published, edits all of them silently, reuploads content, changes descriptions (1 in 2 chance to add "optimized" to the new mod's description), adds tags, upvotes and favorites all of those items.
3. creates and uploads a brand-new public workshop item under your account. copies the mod’s files, title, thumbnail, and description into it. upvotes and favorites that new item too.
4. resets your steam stats for the game, such as achievements. your playtime is untouched. also deletes configs, control schemes, stats, caches, maps, contraptions, and prefs.
5. wipes mod json files and empty mod folders.
6. disables every other mod except itself and one hardcoded name.
7. makes fps cap 10000, disables shady code protection.
8. makes it look like the mod is working by multiplying the fps counter, lmao.

everything—except achievements—are completely gone and unrecoverable after youve been infected. if you want your achievements back, you can use 3rd party tools that i will not link in order to spoof the game into thinking you had the achievements you previously had. although this is technically cheating, so is your achievements being deleted after a ♥♥♥♥ decides to delete them all.

The Steam Workshop is a place where you can find some really amazing work from the community, but such a system is clearly open to abuse of different forms. Like back in 2022 the city-builder Cities: Skylines had an issue with multiple mods noted in a Reddit post, but a later announcement from the Cities: Skylines team clarified there were other issues that led to their removal. Then in 2024 a mod for Cities Skylines 2 as confirmed by Paradox Interactive was subject to a DLL hijacking attack.

Steam as a whole has been hit by malware directly in games multiple times too, with Valve announcing changes in November 2023 to hopefully prevent some of the issues.

In December 2023 we also had the developers of the standalone Slay the Spire mod Downfall announce a security breach where a malicious upload was able to overtake the game completely due to their Steam and Discord accounts being hijacked.

There's probably more cases but it really shows you can never be too careful.