以下是崩坠mod作者官方更新记录。
(Update 7:19 PM Eastern 12/27, 0020 UTC+0 12/28) - We just updated the game intentionally, switching to a fresh clean depot for future use. Do not be alarmed if you see an automatic update.
Hello everyone. I bring some unfortunate news today. Yesterday, Christmas Day, at roughly 12:30 PM Eastern time, we experienced a security breach. At roughly 1:20 PM (1820 UTC+0 on 25/12) , that breach allowed a malicious upload to overtake our game on Steam's library for a period of roughly one hour. Our steam and discord accounts were hijacked, and though the Steam accounts were able to be recovered late in the evening, we were limited in our ability to warn or communicate immediately following the breach. Fortunately, we were able to contain the actual breach much more quickly than the amount of time it took to recover the accounts. The important parts you need to know are:
-The breach window was roughly 1:30 PM-2:30 PM Eastern (1830-1930 UTC+0) on 12/25.
-Downfall is safe to launch once more, and has been since roughly 2:30-2:40 PM Eastern on 12/25 (1920 UTC+0 on 12/25).
-If you did not launch Downfall in the breach window, you're clear.
-If you got an automatic update for Downfall on 12/25 but did NOT launch, you're clear.
-If you launched Downfall via the Steam Workshop (meaning you actually launched Slay the Spire), you're clear.
-If you did launch Downfall on 12/25 and succeeded and everything looked normal, you're clear.
-If you did launch Downfall on 12/25 and saw a command-prompt like screen, that starting spitting out a bunch of text after about 10 seconds, you're in the clear. That was actually just the Java log which we usually keep hidden, but accidentally left visible when we restored the game.
-If you did launch Downfall on 12/25 and got a 'no .exe found' type of error, you're clear. That was us exploding the game to prevent anyone else from being affected.
-If you did launch Downfall on 12/25 during the breach window and got a Unity library installer popup, please continue to read. You may be also at risk.
The security breach allowed a malicious upload to replace the Downfall packaged game. If you were one who saw that Unity library popup, here is the information we have at this time involving the malware that may have affected you:
Most Antiviruses seem to have not stopped the malware specifically from executing, but do stop its payload from being sent across the internet. This means you aren't automatically damaged by the attack.
The payload it tries to scrape and generate involves passwords, specifically from your browsers, Discord, and a few other applications: Windows local login, Google Chrome, Yandex, Microsoft Edge, Mozilla Firefox, Brave, Vivaldi, Telegram, Discord, and files that might contain the word 'password' (if 'password' is in the filename).
If you saw the Unity popup or otherwise feel you may be breached, we recommend you changing important passwords, particularly ones that are not set up for 2FA (2-factor authentification). Any account that is set up for mobile 2FA should be immune. You should also be sure your live protection is active and run scans. Though, for full peace of mind, I personally am electing to reset and wipe all of my drives from my affected hardware.
The payload included the installation of a "WindowsBootManager as an application under my user's AppData folder. Also "Windows Boot Manager is a video game".
One user reported: In your users/[username]/AppData/Local/Temp folder, there will be several files the Trojan creates. One will be called epsilon-[username].zip, which contains everything the Trojan has stolen -- Discord info, autocomplete, saved passwords, network info, cookies, saved credit cards, steam info. WARNING: If you go investigating these files for yourself, to do so without being connected to the internet, just in case there is still some possibility of retriggering an event.
Another user reports: "It was under Local\microsoft\windows\0 for me. It said it was a video game, and from a name i didnt know. I checked on another computer on windows 11 and this file didnt exist. I deleted it and i had no problem restarting the computer afterward, but it was scary.
The other file was named unitylibmanager and was found under local\temp\ and i think this one was the original offender.
I also had a problem with Discord, can't say it was linked but it said the .exe was infected, so i deleted everything."
Also can confirm: "I found WindowsBootManager as an application under my user's AppData folder. Also "Windows Boot Manager is a video game" lmao. I deleted all of them manually."
(UPDATE 12.27.23 2:29 AM) Another user has reported: it looks like in my (user)/AppData/Roaming folder there is a folder named 'UnityLibManager' which was created at the time of all the other malicous folders/files and that was what windows defender detected ('UnityLibManager.exe')
We are still working with any affected users to gather and share as much data as we possibly can. We are also communicating with Valve on the nature and timing of the breach so they can also help from their end.
For those concerned about future breaches, we purged the affected hardware that was breached completely, a full hard drive wipe. We've also added additional security and are in the process of transferring ownership of Downfall to a dedicated Steam account that solely is responsible for uploading to it and is never used or logged in for any other purpose. As much as we like to think we're safe, the reality is that any account that is actively used (that is, logged into frequently) is always at risk to a malware attack, and in this case, Downfall was owned by an active account. When that active account become compromised, so did Downfall. The act of the account being logged in at all was all that was needed for the breach to happen in this case.
I can't apologize enough to the affected users. The thought that someone would hijack a free passion project for malicious intent is truly vile. If you are an affected user, please contact me either on steam, or Discord (mikemayhemdevthesecond), or email (michael.may@table9studio.com) and I will do everything I can to help. Downfall is nothing without its players and the joy surrounding it and I am appalled at the attack.
Thank you all for your understanding. I will continue to update as any more information comes my way.
-Michael Mayhem
