The source code for the games Team Fortress 2 and Counter-Strike: Global Offensive have been leaked, leading to hackers reportedly able to deliver malware via Remote Code Execution to other players. Valve, the game’s publisher, confirmed the leak of a 2017/2018 versions of the software. According to a report on the issue from PCGamesN, several Team Fortress 2 server communities have advised players to avoid the game until further notice.
However, Valve reached out with a comment to USgamer over email, saying “We have reviewed the leaked code and believe it to be a reposting of a limited CS:GO engine code depot released to partners in late 2017, and originally leaked in 2018. From this review, we have not found any reason for players to be alarmed or avoid the current builds (as always, playing on the official servers is recommended for greatest security.” Valve is also directing anyone with useful information about the leak to its security page for steps on how to report those details.
Reports of Remote Code Execution in Team Fortress 2 and other Valve games remain unconfirmed. In fact, the source code is an old version and not currently running on official servers. Valve has issued numerous updates to both TF2 and CS:GO since 2017, including security and exploit patches. Nevertheless, Creators.TF, a popular community hub for Team Fortress 2, announced it was shuttering its multiplayer servers “for the foreseeable future” out of concern for its infrastructure and the security of players in the light of the leak.
Garry’s Mod creator Garry Newman cast doubt on any major vulnerability in the root Source engine—which would affect his popular mod — and asked fans to reach out if they learned of any major vulnerabilities or exploits.
(Garry’s Mod (also known as Gmod) is a sandbox mod for the Source Engine developed by Garry Newman and published by Valve Corporation. It is commonly used alongside Team Fortress 2 and other Source games to create community content such as videos or images for entertainment.)
Single-player games and games running on the Source 2 engine, such as Dota 2, are presumably not at any risk.
Still, the risk of RCE in the first place is a real threat. Wannacry was a well publicized example of a cyberattack enabled through RCE last year. This was a piece of ransomware that encrypted all files on victim’s PCs, demanding a substantial payment through cryptocurrency.
So, even if RCE hasn’t been confirmed, the fact that it’s even a possibility means that players may want to avoid the game until Valve releases a patch.
The game was first release in 1996 as a mod and became free to play in 2011. There is a very active trading community where upgrades and rare items can be bought for real world money in excess of $10,000 each.
This is a developing story and we will update you with reliable info as it appears.