I Found Malware in a BeamNG Mod

I worked on BeamMP[0][1], for 5 years, both as a project manager and lead developer for the server and client. BeamMP is a wildly popular multiplayer mod for BeamNG (1M registered players, always at least 3k concurrent players, also it's AGPL licensed). I left the team this year, but I can tell you: Mods, if they manage to break the sandbox in any way, can do anything, and the BeamNG sandbox will never be perfect. To their credit, the BeamNG devs have hired people from the community who do a lot of security research, and they have found numerous issues and fixed them before they could be exploited.

We have seen prototypes that can make network requests out of the sandbox, call winapi functions, and do anything else with the same privileges as the game, which, worst case, is admin because players like running things as administrator. All of those exploits are fixed, now.

The issue remains one of the largest problems in the community, and sites that are well known for distributing mods with malware (which is pretty common) are at the top of Google search results.

BeamMP allows mods on servers, which causes clients to download and then execute code from those mods. That's a huge attack vector and BeamMP has been working hard to warn users and to come up with ways to prevent problems; but without funding (BeamMP is free) there is a limit on what can be done. The infrastructure costs already are sky high for supporting the crazy amount of users they have.

Sadly, everyone involved loves NDAs - I can only hope that companies start doing writeups, but I doubt it. So that's all the inside info I can give ;)

[0] https://beammp.com

[1] https://GitHub.com/BeamMP

This is the second time (we know of) BeamNG.drive being exploited due to bad security practices - the first time, disabling ASLR [0], leading to Disney being hacked, this time, disabling CEF sandboxing. It is weird to see them go out of their way to disable conventional security features on their product.

[0]: https://news.ycombinator.com/item?id=41063489

Still trying to understand - Did the mod developers intentionally shipped malicious code or they were compromised by some external attacker to target the downstream users?

Why is CEF used without sandbox?

Unrelated, on mobile, background is quickly oscilating colours giving an epileptic vibe

But did the malware do anything significant through proton to the host OS?

I hate malware. I found two Android apps using an obfuscator loaded via JNI (libjiagu_64.so) which crashes on startup (on GrapheneOS) and I am at a loss at what to do next which doesn't involve send reports into the void hoping it reaches an human with the time, skills and willingness to check what is really going on.

Summary: https://user934.com/2025/04/29/investigating-suspicious-beha...