A malicious actor injected polymorphic Lua/Python scripts into a commercially distributed “Eye Tracking + Physics Enhancement” package on a Unity Asset Store clone. The script activated only when the streamer’s donation threshold exceeded $500, triggering an automated “puppet mode.”
The following actions were taken immediately upon detection: vtuber hack:append.2
The vector of attack was identified as a malicious script hidden within a seemingly benign asset file (likely a superchat sticker or a viewer-submitted asset loaded into memory). vtuber hack:append.2