PSA: If you still play Team Fortress 2 or Counter-Strike: Global Offensive, you may want to put them away for a little while. It is being reported that hackers have obtained the source code and have created remote code execution exploits for the game. While these accounts have not been confirmed, the risks associated with RCE attacks warrant extreme caution until the problem has been fixed or confirmed as a false alarm.
Update (4/23): Valve has been quick to respond and dismiss this as a risk to Team Fortress 2 or Counter-Strike players, saying the code leak took place years prior and there's no reason to be alarmed. Check out the full statement on the Twitter thread below.
Regarding today's reported leak of code, specifically as it pertains to TF2: This also appears to be related to code depots released to partners in late 2017, and originally leaked in 2018.— Team Fortress 2 (@TeamFortress) April 23, 2020
It seems that the source code for Team Fortress 2 has leaked and has led hackers to develop a way to infect other players with malware. The source code appears to be from 2017 and 2018 versions of Counter-Strike: Source and Team Fortress 2, according to Steam Database.
A tweet from one TF2 fan indicates that remote code execution exploits have already been spotted in the wild. This allegation has yet to be confirmed, but if true, this poses a severe risk to players. An RCE attack can give a hacker full control over your computer or execute any code without the user's permission. Remote code execution is what the Wannacry ransomware attacks used that caused so much trouble as late as last year.
Source code for both CS:GO and TF2 dated 2017/2018 that was made available to Source engine licencees was leaked to the public today. pic.twitter.com/qWEQGbq9Y6— Steam Database (@SteamDB) April 22, 2020
Combing through the forums reveals some who have played down the potential for harm. Reddit moderator Demoman claims that the source code is "old" and was initially leaked one or two years ago.
"It is unlikely but not impossible that security flaws such as RCE (Remote Code Execution) exist," Demoman writes. Furthermore, Neither Valve nor the Team Fortress 2 Twitter accounts acknowledge the leak or the alleged risks of RCE attacks.
Still, even though it has not been confirmed, the seriousness of the risk warrants extra caution when playing TF2, CS: GO, or potentially any other online Source games including Garry's Mod. Moderators on the TF2 subreddit are warning players to stay off servers or avoid the games altogether until an "all clear" has been issued — prudent advice considering the implications.