Screeps: How a game about programming exposed thousands of players to remote code execution

Gamers playing Screeps, a strategy game where players code their own unit behaviors, faced an unexpected threat: other players could potentially hack their computers simply by naming game characters with malicious code. The vulnerability exploited the game's HTML-parsing console system, allowing attackers to execute arbitrary code on victims' machines through the Steam client. Despite being reported to developers two years ago, the security flaw was dismissed as harmless until a public exposé forced a rapid fix. The incident highlighted broader issues with the game's sluggish performance, broken features, and developer priorities focused more on monetization than core functionality. Even after patching the exploit, developers continued denying it posed real risks, claiming it would be players' fault if exploited. The controversy underscores how even beloved indie games with innovative concepts can suffer from poor security practices and developer negligence, leaving players vulnerable while chasing revenue streams.