Skip to main content

Browse GamesGame JamsUpload GameHalloween Sale 2025Developer LogsCommunity
On Sale: GamesAssetsToolsTabletopComics
Indie game storeFree gamesFun gamesHorror games
Game developmentAssetsComics
SalesBundles
Jobs
TagsGame Engines
redonihunter6 days ago(+1)

A sha256 is only good if you have an authorative original source where you can check that number. Usually in a situation where the original source does not have the capacity for downloads, so you use a mirror that might be compromised. So I would not even check that number, if I downloaded your game from Itch.

A typical malware using your game would just create an account, upload your game with added malware and not even mention a checksum. I did see fake and original indexed side by side here on Itch. Also, indexed fake and a delisted original. That was kinda frightening.

And you are right, if your game was a high value target for impersonation, and you hardcode the warning about looking for that checksum somewhere, they would either change that checksum on the fake page, remove the warning or better, change the link to the fake site.

(I have seen hackings in progress. They would just replace your project with a different project. Too much effort to replace the files. If you were to have hundreds of followers that might download a new infected version, that would be a different matter. I have seen fake accounts with 50 followers :-/ )

Itch does not verify developers, nor their executeables. (Oh, they do have basic scanners, but those are ... not up to the task.)

Steam does this in some way. It is very big news, if there is malware on Steam. On Itch this happens probably about 10 times a day. Speaking about indexed projects. Maybe the scammers upload 100 a day and Itch catches 90. Those criminals do that fulltime. And even without bots, someone can easily upload several fakes an hour.

On several weekends last year I easily saw 20+ malware uploads. That 10 per day is a convervative estimate based on experience, not an exaggeration. Around that time I created that thread here https://itch.io/t/3512426/itch-is-not-a-safe-place-do-not-download-things . It was heartbreaking to see dozens of hacked accounts each weekend. I do wonder why I almost never see people complaining in the message boards. There is complaints about everything, but rarely about being hacked. This thread here is one of those very few.

Reply
HamUnDo6 days ago

"Steam does this in some way. It is very big news, if there is malware on Steam. On Itch this happens probably about 10 times a day. Speaking about indexed projects. Maybe the scammers upload 100 a day and Itch catches 90. Those criminals do that fulltime. And even without bots, someone can easily upload several fakes an hour.

 On several weekends last year I easily saw 20+ malware uploads. That 10 per day is a convervative estimate based on experience, not an exaggeration."

I wonder ... where do you get this information ...

I can´t imagine you - or anyone - randomly downloading dozens or hundreds of games daily for fun ... just to check if they´re save to use ...

Are you part of the staff or an IT expert ? - Like a hired hand to test a provider´s measurements on safety and integrety ?

Reply
redonihunter6 days ago
I wonder ... where do you get this information ...

That there were malware by the dozen on weekends is what happened and what probably still happens. You personally stumbled over several of them without trying. 

randomly downloading dozens or hundreds of games daily for fun ... just to check if they´re save to use ...

It is neither randomly, nor is a download needed. You also recognised patterns. They change, but within a week they stay noticeable. So it is a few seconds to have high confidence. And of course, I do not check all games. But enough to stumble over a lot of malware.

Oh, and I currently do not browse new games, but wanted to have a look how bad it currently is. It took me less than a minute to find two fake accounts. They have 16 followers together. How do I know? Experience and things I do not want to discuss, since they will change anyway with the next batch of malware uploads. Currently you would also be suspicous of those fake accounts ;-)

Oh, and I tried the smallest of the games out of curiosity and it did not trigger a single scanner on virustotal.

Browsing new games on Itch is dangerous. Using a sandbox is recommended.

Reply
AboutFAQBlogContact us
Copyright © 2025 itch corp · Directory · Terms · Privacy · Cookies