Skip to main content

Team Fortress 2, CS:GO code leaks threaten your PC: What to do now

Counter-Strike: Global Offensive
A screen shot from Counter-Strike: Global Offensive. (Image credit: Valve Coporation)

It’s pretty hard to spread malware through an online game, but cybercriminals will still try. 

The entire source codes for popular online shooters Counter-Strike: Global Offensive and Team Fortress 2 leaked online recently, bringing up (justified) concerns that the games could be ripe for hacking. 

Developer/publisher Valve has reassured fans that the games are safe to play. But, as with any potentially compromised software, there’s the question of what will come first: an official Valve patch or a hacker’s malware injection.

This information comes from ZDNet, which explained that source code for 2017 builds of CS:GO and TF2 leaked on 4Chan and torrent sites beginning Tuesday (April 21), which means the code may very well already be in the hands of hackers. 

The CS:GO build apparently leaked in a very limited form back in 2018, but has now become more widely available. As to whether these hackers could do anything with the source code — or at least anything that Valve couldn’t anticipate and correct — is harder to say.

Valve issued a statement to ZDNet meant to reassure online gamers:

“We have not found any reason for players to be alarmed or avoid the current builds,” said Doug Lombardi, VP of marketing at Valve. “As always, playing on the official servers is recommended for greatest security.”

How safe is Team Fortress 2?

However, Ars Technica posted another sentence from what appeared to be the same Valve statement: "We have reviewed the leaked code and believe it to be a reposting of a limited CS:GO engine code depot released to partners in late 2017, and originally leaked in 2018."

But when Ars Technica asked about TF2 in particular, the company did not reply. 

Whether this means CS:GO is the safer option of the two isn’t clear. Ars Technica seems to think so, but the statement seems to offer reassurances for both games. Players will have to evaluate it for themselves and, for the time being, play at their own risk.

How you can protect yourself from infected games

In fact, “play at your own risk” seems to be about the best advice we can offer at the moment. Even if hackers get their hands on a game’s source code, it will take them some time to discover a vulnerable part of the game and develop a malware injection for it. 

This injection isn’t guaranteed to work once it’s out in the wild, especially because the source code in question is so old. Furthermore, both games are still actively supported, and Valve is aware of the leak and probably already working on potential fixes.

In other words: The safety of CS:GO and TF2 isn’t guaranteed. But an awful lot of stars would have to align in order for anything to go grievously wrong within the next few days. (As the weeks draw on, this calculus changes.)

There are two ways to avoid malware from CS:GO and TF2. One is to avoid playing the games entirely, which is feasible. There are plenty of other free PC games to play, including online shooters. 

The other way, of course, is to have one of the best antivirus programs installed. Whatever malware the hackers decide to use will probably be well-known and documented, which means that a decent program will be able to detect and delete it before it ever makes contact with your hard drive. 

Illicit activities in CS:GO are not unprecedented. Last year, the Belonard malware made the rounds on almost 40% of CS:GO servers after hackers exploited a zero-day vulnerability. 

There’s also a decent argument to be made that CS:GO’s primary purpose is now to be a complex money-laundering machine (for crooked players, not for Valve). If you want to keep playing, play smart.