Downfall Steam build carried Epsilon

Downfall was not a poisoned Steam Workshop mod. It was the standalone Steam package for a major Slay the Spire fan expansion. On December 25, 2023, a breached developer account let the attacker replace the packaged game on the public Steam branch.

The replacement did not behave like Downfall. Players who launched the affected build saw a Unity library installer prompt. That prompt was the visible edge of Epsilon Stealer, which targeted browser credentials, cookies, payment data, Discord and Steam material, Telegram data, and files with password-like names.

The distinction between standalone and Workshop mattered. Players who used the Steam Workshop version of the Slay the Spire mod were not in the same distribution path; the compromised artifact was the standalone app build that Steam delivered as the game package.

Table 9 Studio said the exposure window was brief, roughly 12:30 to 1:30 p.m. Eastern on December 25, and affected the standalone Downfall branch, not the Workshop path. The developer knew of three affected users at disclosure time, but any player who launched during the window was told to scan the system and rotate important credentials.

The incident is included because it shows the same supply-chain shape as larger software compromises at a smaller scale: compromise the publisher account, replace the trusted artifact, and let a normal update or install path put credential-stealing code on user machines.

Motive

Credential Theft

Cause

Compromised Account Credentials

Transitive

No

User Impact

3

• Downfall Breach Information (Official)steamcommunity.com
• Downfall (Steam Standalone) was Breachedsteamcommunity.com
• Steam game mod breached to push password-stealing malwarebleepingcomputer.com
• Downfall was compromised after a security breachreddit.com
• Steam Game Mod Breached to Push Password-Stealing Malwaredailysecurityreview.com