We have recently discovered that some malicious Studio plugins are injecting scripts into hidden services. Because the services are hidden from the Studio Explorer, detecting these scripts is nearly impossible.
How to tell if you are affected
- File > Save As… and select “.rbxlx” as the file format
- Open the saved file using a text editor like Notepad
- Search for “Backpack” and see if you find anything that looks like this:
<Item class="Backpack"> <Properties> ... </Properties> <Item class="Script"> ... </Item> </Item>
If present, this indicates that a hidden script was likely injected into your place.
What to do if you are affected
We are working on a change where a script under a Backpack will only execute if parented to a Player or descendant of a service that executes scripts like Workspace or ServerScriptService. It is unlikely that this change will negatively impact your games.
We are working on a solution so scripts under Backpacks/PlayerGuis to only execute scripts that are descendants of a Backpack that is parented to a Player or descendants.
- Descendants of a service that executes scripts (e.g. Workspace, ServerScriptService)
We will release this change as soon as possible. If you want a solution in the interim, you have two options:
- Manually edit your place files to remove these injected scripts
- Use a developer-made plugin such as Christbru01’s Hidden Script Detector to remove these scripts. We have not tested any of these plugins so, if you choose to use them, you are using them at your own risk.
Long term, there are other things we plan to do in order to improve the security of our product:
- Add a Studio setting to make all hidden services visible to make it easier to detect similar exploits
- Rethink our entire plugin security model in order to ensure plugins cannot perform malicious actions like this without user consent
Let us know if you have any questions about this issue.