The developers behind a popular “open source MMO RTS sandbox game for programming enthusiasts” on Steam, named Screeps: World, have been forced to update their game “in order to protect both players” and their “own reputation,” following the discovery of an alleged “remote code execution vulnerability” that would enable players to take control of other players’ computers. Even worse, the person who helped discover the vulnerability in question alleges that Valve “ignored” their reported findings.
If you’re noticing an overabundance of quotes in the previous paragraph, there’s a good reason for that, as this story spawned out of a rather nasty back-and-forth on X between Screeps: World’s developers Screeps, LLC and an “information security” aficionado by the name of Isaac King.
As King explained in his initial post, Screeps: World apparently allowed “any other player in the game world to gain remote access to your computer” through the use of a programming exploit. For context, Screeps: World is a programming game that lets players write their own code in JavaScript, which is then used to craft their own custom-made AI units.
As of this writing, the game is currently sitting at a “Very Positive” review score on Steam, having amassed roughly 1,876 reviews and, according to VG Insights, over 113,000 individual purchases.
If you want the exact explanation of the reputed vulnerability, I highly suggest reading King’s highly detailed write-up of the exploit on his blog. I will, however, warn you in advance that it requires (at least) a base understanding of JavaScript to fully understand.
Thankfully, King includes an analogy for “non-programmers” in the conclusion: “imagine if there were one particular kind of unit in Starcraft that, if you trained it, let people hack your computer. And when pointed out, the game designers said ‘well this is self-inflicted, the players all chose to train that unit’.”
King also explains that the developers have been aware of the issue since July 2024, as one of Screeps, LLC’s two developers replied to a report on GitHub detailing the vulnerability. The dev in question replied, stating that they “do not see this as a serious security threat.” However, a user from the Screeps Discord noted that the vulnerability had been successfully abused in the past.
Once the initial post on X began to gain traction, the official Screeps X account replied stating that the accusation was “at the very least, a clickbait exaggeration, and at worst, malicious defamation intended to cause reputational damage.” Nevertheless, they also stated that the alleged vulnerability has, as of January 25, been removed from Screeps: World.
The potentially more worrying side of this is that King noted in his blog post that he’d reported the issue to Steam directly, but didn’t receive a reply: “I reported the game to Steam, which of course they ignored. Their terms of service make them not liable for any hacks caused by malware on the platform, so if it’s getting sales from which they can take a cut, why do anything about it?”
We’ve reached out to Valve to corroborate this, and will update the piece if they reply.
