Skylines players warned to check for malware after malicious code is discovered in mods •

Players who use mods to play Cities: Skylines have been warned to check their machines for malware after several popular mods have been found to include malicious code.

A hidden auto-updater has reportedly been bundled in all the mods “redesigned” by a modder aptly known as Chaos. As well as making it a core download for several other mods, it also crippled any mods not made by Chaos, forcing around 35,000 unwitting players into using more infected mods.

“Malicious code has been found in mods published by an author using the names Holy Water and Chaos,” a pinned post on the Cities: Skylines subreddit warns. “These mods have been “forks” (modified and reuploaded versions) of popular mods from well-known creators (e.g. Harmony, Network Extensions, Traffic Manager: President Edition). Several (but not all) of these mods have been removed from the Steam Workshop and the author’s account is currently suspended.

“We recommend in the strongest possible terms that you unsubscribe from all items published by this author and do not subscribe, download, or install any mods, from any source, that may be published by this individual in future.”

A moderator of the subreddit additionally told NME: “Users install Harmony (redesigned) for a particular reason, suddenly they get errors in popular mods. The solution provided is to use his versions. Those versions gain traction and users, and people come across them instead of the originals… and see Harmony (redesigned) marked as a dependency. Users install Harmony (redesigned) with the [automatic updating code] bundled with it. Suddenly you have tens of thousands of users who have effectively installed a trojan on their computer.”

Although Valve has now reportedly banned Chaos (and their known alt accounts) and removed the infected mods, players are still worried they can return as a loophole in Steam workshop rules means Chaos may be able to edit and update their mods from accounts other than those banned.

“Chaos can then remotely deploy any code he chooses to users simply by releasing updated code on his GitHub,” the anonymous moderator added. “There is no validation by Steam, GitHub, or any third party. It’s a direct link from Chaos’ brain…