Project Zomboid bans rogue mods deploying "malicious code" to players' PCs

Project Zomboid developer The Indie Stone has confirmed that it has identified and taken action against a series of mods for the zombie game that were "creating malicious files outside of the Project Zomboid directory." The mods in question were add-ons for the popular 'True Moozic' soundtrack expander and were unrelated to its original creator. They have been removed from the Steam Workshop and the perpetrator has been banned, but The Indie Stone encourages anyone who thinks they might have been affected to take action.

The best Project Zomboid mods have long been a highly recommended way to customize and enhance your adventure. With the overhaul to Build 42, there are countless options to tweak the world of Project Zomboid to your liking, whether you're looking to dramatically raise the car count, add water pipes and plumbing, or build custom bandits that have specific talents to impede your progress. Among those is True Moozic, which includes support to add custom soundtracks.

The Indie Stone notes that it recently "received reports from multiple users regarding a mod that was allegedly generating malicious code when run." It then "immediately investigated the mod in question, which contained heavily obfuscated code, and confirmed that it was creating malicious files outside of the Project Zomboid directory." Upon digging a little further, the developer spotted a total of 14 mods from the same user, all containing the exploit. It estimates the total installs across them all at "between 500 and 2,200 devices."

The user responsible has now been banned, and all affected mods have been removed, but The Indie Stone warns, "At this time, the full scope and behavior of the malicious files have not been fully determined. Because these mods were capable of creating files outside the game directory, we strongly recommend that anyone who downloaded them take appropriate security measures to ensure their system is safe. Simply uninstalling the mods is not sufficient."

The mods in question included soundtracks from a number of other games, including Risk of Rain, Persona 5, Nier: Automata, Roblox, and Minecraft. The Indie Stone notes that the exploit "only affected Build 42 branches." However, it did release a Build 41 security update yesterday, addressing "a separate vulnerability identified during an internal audit." It states, "At this time, we have found no evidence that this separate vulnerability has been exploited."

The developer also clarifies that the malicious uploads "are not the True Moozic mod, nor were they created by the author of the True Moozic mod. The affected mods were simply add-ons - they did not leverage the True Moozic mod as part of the exploit, and they were made without the consent of the True Moozic mod's author." As all of the problem files have been removed, any mods still on the workshop are "not part of this incident."

In order to ensure that it doesn't leave the vulnerability accessible in any way, The Indie Stone has also updated its 'outdated unstable' branch to match the 'unstable' branch. This means that the outdated version "will continue to lag one content update behind unstable" for the foreseeable future.