Additional reporting by Jake Tucker
Popular mods for Cities: Skylines have been bundled with malicious code by their creator, who reportedly used an automatic updater to infect users with a trojan horse and affected performance for specifically targeted fellow modders and developer Colossal Order employees.
In 2021, a modder going by the name of Chaos launched a “redesigned” version of a mod called Harmony, a vital framework project that most mods in Cities: Skylines rely upon to function.
Chaos also then “redesigned” several popular mods for the game, and listed his modified version of Harmony as a core download – meaning that players would have to go and download it for any dependent mods to work.
However, it’s been discovered that an automatic updater was buried in this version of Harmony, which would allow Chaos to deliver malware to the devices of anyone that downloaded it. Other malicious code was used to cripple the performance of other mods, which in turn caused players to download more of Chaos’ mods as they were advertised as solutions to these issues. This was discovered when some of the affected modders who, after receiving reports of slow performance from fans, found the malicious code.
Speaking to NME, a moderator of the Cities: Skylines subreddit told us what happened:
“[Chaos] forked another popular mod, and set their version of Harmony as a dependency. They then added fake error messages into this mod which would fire if you used the original Harmony, enticing users to their version. Then they implemented an access control list that would block certain Steam IDs from using their mods or interrogating any of their code.”
Our source, who has chosen to remain anonymous due to being targeted by Chaos in the past, says that “in essence he’s created a vicious cycle.
“Users install Harmony (redesigned) for a particular reason, suddenly they get errors in popular mods. The solution provided is to use his versions. Those versions gain traction and users, and people come across them instead of the originals… and see Harmony (redesigned) marked as a dependency. Users install Harmony (redesigned) with the [automatic updating code] bundled with it. Suddenly you have tens of thousands of users who have effectively installed a trojan on their computer.”
“Chaos can then remotely deploy any code he chooses to users simply by releasing updated code on his GitHub. There is no validation by Steam, GitHub, or any third party. It’s a direct link from Chaos’ brain to users’ computers. If users run the game as [an] administrator for any reason, this could expose them to keyloggers, viruses, bitcoin mining software – literally anything.”
Separate malicious code also checked users’ SteamID against a list that included the accounts of modders, community members and even employees of Colossal Order, the game’s developer. If someone on this list was detected, the code blocked the user from investigating the mod’s code and would also cripple the users performance.
Valve has removed several of the mods that feed into the automatic updater, and banned the latest account of the modder, which went by the name Holy Water. The original account – Chaos – was previously banned for doxxing other members of the community. However, by this point there were around 35,000 downloads for Chaos’ mods – and it’s likely that the real number is even higher.
“What’s been implemented would let him cryptolock a bunch of machines, create a botnet (and DDoS his enemies?) or mine cryptocurrency,” added our source.
Though both of Chaos’ accounts have been banned by Valve, there’s a concern that he will return to spread more malware – especially because a loophole in the Steam workshop rules would allow him to continue working on his mods from another account even if the existing accounts remain banned.
Right now, legitimate modders are undergoing a “massive education campaign” to raise the Cities: Skylines‘ communities awareness of what’s going on, in the hopes that they can reduce the chance of any future harm befalling their community.
We’ve reached out to Valve, and will update this story if we get a response.
In other news, Activision staff will be “under scrutiny” following its acquisition, says Microsoft president Brad Smith.