The BlockBlasters Incident: A Lesson in Software Supply-Chain Security

What Was BlockBlasters?

BlockBlasters was advertised as a free-to-play 2D platformer and initially appeared harmless. Early versions of the game did not raise alarms, which helped it pass platform review checks and gain player trust.

However, after an update released weeks later, the game quietly introduced malicious code. This update transformed a legitimate-looking game into a delivery vehicle for malware.

What Did the Malware Do?

The malicious update installed background processes that:

• Scanned the system for stored credentials
• Targeted cryptocurrency wallets and browser extensions
• Exfiltrated sensitive data to external servers

Victims later reported unauthorized crypto transactions, with total losses estimated in the hundreds of thousands of dollars. Because the malware ran silently and piggy-backed on a legitimate application, many users did not immediately realize what had happened.

Why This Attack Was So Effective

BlockBlasters succeeded because it exploited trust:

• Users trust platforms like Steam to vet software
• The game was initially clean, reducing suspicion
• The malicious payload was introduced via an update, which users are conditioned to accept automatically

This technique is a classic example of a software supply-chain attack, where a trusted delivery mechanism is abused rather than directly compromised.

Steam Was Not the Only Risk: Other Distribution Platforms

While BlockBlasters appeared on Steam, similar attacks have occurred across many platforms:

1. Open-Source Repositories (GitHub, GitLab)

Malicious packages have been distributed through:

• Typosquatting (e.g., fake libraries with similar names)
• Legitimate projects compromised after gaining popularity

Developers who blindly install dependencies can unknowingly introduce malware into production systems.

2. Mobile App Stores (Google Play, Third-Party Android Stores)

Several cases exist where:

• Clean apps gained popularity
• Later updates added spyware or adware
• Users were infected automatically via updates

3. Browser Extension Stores

Popular browser extensions have been sold or hijacked, then updated to:

• Inject ads
• Steal credentials
• Track user activity

Because extensions often request broad permissions, the impact can be severe.

4. Modding Platforms and Game Launchers

Game mods, launchers, and cheat tools are frequent malware vectors because:

• They run with elevated permissions
• Users disable antivirus protections to use them
• Distribution often relies on community trust rather than formal review

Key Security Lessons

The BlockBlasters incident highlights several important lessons:

• A trusted platform does not guarantee safe software
• Updates can be as dangerous as initial installs
• Free software still has a cost - sometimes paid in data or money

Practical Steps for Users

To reduce risk:

• Use reputable antivirus and keep it enabled
• Avoid storing crypto wallets or private keys on general-use machines
• Review update behavior and permissions
• Be cautious with newly released or obscure software
• Prefer hardware wallets for cryptocurrency storage

Conclusion

BlockBlasters was not just a malicious game - it was a real-world example of how modern cyberattacks exploit distribution channels rather than vulnerabilities. As digital ecosystems grow more complex, attackers increasingly rely on trust, convenience, and automation to do the work for them.

Understanding incidents like BlockBlasters helps users, developers, and platform operators recognize that cybersecurity is no longer just about avoiding “sketchy downloads,” but about maintaining vigilance even within trusted environments.