You must log in or # to comment.
I had the mod installed in the timeframe were it had the malware. Fuck me.
But what really pisses me off is that i read about it first here on lemmy. Not on the Beamng forums/repository, not in the game, not in the steam announcments of the game. Like you distributed malware over your platform and the policy of you fucks is just to stay silent? Meh.
This made me think, okay, this particular exploit uses malicious code in a mod that targets an old embedded chromium vulnerability, and can be fixed by updating the game’s dependencies. This game started a dozen years ago, but it’s still being worked on.
How many retro games that are not still in development could have vulnerabilities like that? Especially moddable games.
Mods that contain code always feel scetchy to me. How much can I trust whoever made this dll or such?
That’s why I prefer to get mods from trusted sources, like Nexusmods or the Steam Workshop.
Does it really help? Not a concern troll, just curious. Do they check code like Play Store’s verified?
They certainly don’t review code, but on those there must be at least a scan for the most obvious malicious stuff. I am not sure it’d detect something hidden like in the article though. After all even on the guy’s PC it was only detected once it tried to actually download stuff.
The good thing about workshop is visibility, if someone notices something shady it’ll be known fast. Not perfect, but probably better than getting your mods from random sites nobody knows.
If you want extended mod support, you kinda need it though. Stuff like Minecraft and Rimworld come to mind.
Rimworld has very good official mod support that lets you do quite a lot with completely safe XML configuration files. But as soon as you want to deviate a bit from what the vanilla game allows, you’d have to code that and embed it as a DLL in your mod.
Almost all gameplay or UI mods are DLL mods or depend on one. Quick survey : I have about 250 DLLs from my active mod list.
I know, and I hate it. I think the only way to fix this would be to support some limited scripting language, but that also sucks for other reasons.
Open source would also help with trust.
I literally have a Rimworld mod that calls an external python script as a feature.
It’s a special case, of course said script is not part of the mod package, it has to be installed manually. What it does is allowing generating portraits for characters externally.
I even rewrote the script to use local generation, but the one provided as an example calls an online API.
Every mod that adds functionality can do everything the User can do, except when its sandboxed (for example factorio, TES without script extender). Its really a huge attack vector.
