What happened
The Indie Stone pulled 14 Project Zomboid Workshop items after discovering deeply obfuscated code inside them that was creating files outside the game folder. The studio says the issue was flagged on April 7, they inspected the first mod and then found the same exploit in a bunch more. The uploader has been banned and the affected mods were removed from the Workshop.
Those add-ons were installed on roughly 500 to 2,200 machines, according to the developer, so this isn’t exactly a one-off blip. The team hasn’t been able to fully trace what the extra files did, so they’re telling anyone who installed the mods to assume their system might be compromised until proven otherwise.
Important technical note: this problem only hit the Build 42 branch — the unstable testing version. Build 41, the stable release, wasn’t vulnerable to that specific exploit. The studio also pushed unrelated security updates for Build 41 after an internal check, but they say there’s no sign that flaw was actively abused.
Who was affected and why it matters
The removed items weren’t the main True MoooZIC mod and weren’t made by that mod’s original creator — they were third-party add-ons published without the author’s permission, which caused a lot of confusion in the community. The pulled packs included music add-ons inspired by titles like Persona 5, NieR: Automata, Hotline Miami, Silent Hill, Cowboy Bebop, Katana ZERO, Risk of Rain and Minecraft.
Why gamers should care: mods normally change in-game stuff, but code that writes outside the game can affect your whole machine. That can range from annoying clutter to actual security headaches, so even if your save files and gameplay seem fine, your OS might not be.
What to do right now
Short version: don’t panic, but don’t ignore it. If you had any of these Workshop items installed, uninstall them — but know that removing the mod from the game might not remove any rogue files it dropped.
Steps to take: run a full antivirus/antimalware scan, check common folders (Documents, AppData, game directories) for odd files, and consider a secondary on-demand scanner for a second opinion. If you see anything suspicious, isolate the machine, change passwords if you used it for sensitive stuff, and restore from backups if needed.
Finally, keep an eye on official Indie Stone updates and on Workshop notes for any follow-ups. The developer has already acted quickly to remove the threat, but user-side checks are the critical next move.
