Project Zomboid Warns Players After Workshop Zero-Day Exploit
Original: Project Zomboid - Patching a Zero Day Exploit View original →
The Indie Stone used a Steam news post to warn Project Zomboid players about a confirmed zero-day exploit in community mods. According to the studio, reports started arriving on April 7, 2026, and the team quickly verified that one mod was generating malicious files outside the Project Zomboid directory when it was run.
The follow-up investigation widened the scope. The studio said the same user had uploaded 14 mods carrying the same exploit, with the affected packages installed on roughly 500 to 2,200 devices each. The account was banned and the mods were removed from the Steam Workshop, but the team stressed that uninstalling the mods alone is not enough. Because the files could be written outside the game folder, players who installed them were told to take additional security steps to make sure their systems are safe.
The announcement also separated this incident from other branch-level work. The exploit applied only to Build 42 branches, and Build 41 was not vulnerable to that specific issue. However, Build 41 received its own security update the same day after a different vulnerability was found in an internal audit. The Indie Stone said it has found no evidence that the separate Build 41 issue was exploited. It also aligned the outdatedunstable branch with unstable so an older branch would not keep a known hole open.
One of the most important clarifications is about attribution. The studio said the affected packages were add-ons for True MoooZIC, not the True MoooZIC mod itself, and they were created without the original author's consent. That matters because exploit headlines can quickly poison trust across an entire mod ecosystem if players cannot tell whether the main project or a derivative upload caused the problem.
This is a serious reminder of how much trust mod-enabled PC games ask from their communities. Project Zomboid's response is noteworthy not because the incident happened, but because the team documented the scope, removed the uploads, explained the branch impact, and corrected community misunderstandings in one public update. For players and mod creators alike, the story is less about one bad actor and more about how fast a platform and a studio can contain damage when workshop tooling is abused.
Related Articles
Steam has opened an opt-in Steam Workshop browse beta focused on faster filtering, larger item cards, and a new Quick View flow. The company says the beta could run for weeks or months while it collects feedback.
The FBI’s Seattle Division posted a victim-information page for a Steam malware investigation, saying users were primarily targeted between May 2024 and January 2026 and naming seven affected games including PirateFi and BlockBlasters.
A top r/gamedev post highlights Facepunch’s new Valve agreement, which is intended to let creators export S&box projects and publish them on Steam without paying Facepunch a fee.
Comments (0)
No comments yet. Be the first to comment!