Downfall, a fan expansion for the popular Slay the Spire indie strategy game, was breached on Christmas Day to push Epsilon information stealer malware using the Steam update system.
The app affected is the prepackaged version of the Downfall Mod with Slay the Spire, not the Steam Workshop version, apparently. (I have the Downfall mod but didn't know the pre-packaged version was a thing!)
"The breach window was roughly 1:30 PM-2:30 PM Eastern (1830-1930 UTC+0) on 12/25. If you did launch Downfall on 12/25 during the breach window and got a Unity library installer popup, please continue to read. You may be also at risk. The security breach allowed a malicious upload to replace the Downfall packaged game," Mayhem said in a statement published on Wednesday.
I love Steam and wouldn't lay the blame for this on them but this is why you need to use trusted software sources and isolate machines that use less trustable software.
Downfall, a fan expansion for the popular Slay the Spire indie strategy game, was breached on Christmas Day to push Epsilon information stealer malware using the Steam update system.
The publisher got pwnd and the malware got pushed out over Steam. No different from someone publishing a malicious game directly.