Apparently hackers have added malware to python scripts in Blender models. As long as Blender isn’t set to autorun files, you should be ok. But if you do download models from CGTrader, be careful for the next few weeks.
Article: Malicious Blender model files deliver StealC infostealing malware
They stick malware in just about anything you download it seems. I don’t trust anything that comes down the line of any sort.
TBH I am not that keen on pressing ‘run’ on godot web games either. I feel a bit better that my browser sort of isolates itself, a bit like a sandbox, but it still makes me uneasy. I know maleware could lurk in old flash games for instance, and they feel a bit ‘flash’ like in that sense at least. I don’t know if Godot could do anything about that, probably not.
Thanks for the heads up though!
In game jams I typically only play web games the first day or so when judging until other people have downloaded and voted on .exe games for the exact same paranoid reason.
Browser games are waaaay safer than Flash games. In fact, they are no riskier than any plain webpage because they don’t use anything that a regular webpage couldn’t use. And browser security is taken super seriously these days.
Now, of course, security is a never ending game of cat and mouse, and new vulnerabilities will keep getting discovered and patched until the end of time - but that doesn’t make web games any more dangerous than anything else.
The inclusion of malware in developer-centric resources though is vexing.
Malwares are disgusting, especially keyloggers and RATs…
and I am also kinda scared how easily you can run .exe from godot,Like I can make a malware and put into a godot game and boom ppl will fall for it…
You’ll get quickly banned from any game stores (Steam/Gog/Epic/etc) though. And put into antivirus databases.
xD lol,tempmails exists,I have a real malware i made in c++ :>
No, I mean - if you made a game in Godot, and then put malware in it - how would you distribute it? How would you get people to run it? If you put it on Steam/Gog/etc, you’d only get a handful of downloads before you and your game would be banned. And within a few days all noteworthy antiviruses would recognize your malware.
My point is - making a game as a trojan horse to distribute malware is quite inefficient. Expensive, and low reach. Putting it in dev assets is… also low reach, but cheap.
That is a good point. And they do rely on huge numbers for their potential audience to be worth doing in the first place.
I was talking about how easy is it to run .exe in Godot,nothing serious at all.
Well it’s the same in any engine that you use. And even if you don’t use an engine. At the end of the day, a PC game IS an .exe file. If you’re a Bad Guy™, you’re free to put whatever malware you want in that .exe file.
I guess you could make it harder to do it from Godot, but that isn’t even going to slow down any serious cybercriminal. They’re either going to switch to a different platform, or use one of the many tools that allow you to embed your own malware in an arbitrary .exe file (with encryption too). So a limitation like that would only inconvenience regular developers, not add any security.