Modding a survival game is supposed to make the experience better, not turn your PC into a security problem. For a subset of Project Zomboid players, that second scenario is exactly what happened.
The Indie Stone, developer of Project Zomboid, has identified and banned 14 Steam Workshop mods that contained "heavily obfuscated code" designed to create malicious files outside the game's directory. The mods were all uploaded by the same user, who has since been banned from the platform. All 14 mods have been removed from the Steam Workshop.
How a single mod report turned into a 14-mod sweep
According to The Indie Stone's post on Steam, players first flagged the issue when reports surfaced that a specific Workshop mod was "allegedly generating malicious code when run." The developer investigated, confirmed the reports were accurate, and then kept digging. What they found was worse than a single bad actor: the same account had uploaded a total of 14 mods, all carrying the same exploit.
The affected mods had been installed on between 500 and 2,200 devices each. That is a meaningful number of potentially compromised machines, even if it is not a platform-wide catastrophe.
Here's the thing: all 14 mods were music or audio replacements, branded under the "True MoooZIC" label and swapping in OSTs from games and shows like Persona 5, Silent Hill, Hotline Miami, NieR: Automata, Metal Gear Rising: Revengeance, and Cowboy Bebop, among others. They looked like exactly the kind of harmless quality-of-life mods that populate every Workshop library.
The full list of affected mods
If you play Project Zomboid with mods enabled, check your installed list against these Workshop IDs:
Build 42 players are the ones at risk
The exploit only affected players running Build 42, the game's current unstable testing branch. If you have been sticking with the stable Build 41 release, The Indie Stone confirmed you were "not vulnerable to this specific issue."
Build 42 players who downloaded any of the above mods are in a different position. The Indie Stone has not yet confirmed exactly what the malicious files were doing, but the language in their statement is direct: simply uninstalling the mods is not enough to consider your system clean.
warning
The Indie Stone states that "simply uninstalling the mods is not sufficient." If you installed any of the 14 affected mods on a Build 42 installation, run a full malware scan and take additional security measures to check your system.
What this means for the Workshop modding ecosystem
The key here is that this was not a random injection into an existing popular mod. Someone created 14 new accounts, published 14 seemingly legitimate audio mods, and embedded obfuscated code into all of them. That is a deliberate, structured attempt to reach as many players as possible under the cover of innocent-looking content.
The Indie Stone caught it relatively quickly once players raised the alarm, which is the community doing exactly what it should. But the incident raises real questions about how Workshop submissions are screened before they go live, and how obfuscated code makes it past any automated checks. For the broader PC modding community, this is a reminder that Workshop mods run with the same trust level as any other software you install, and audio mods are not inherently safer than gameplay mods. Make sure to check out more:
