Malware Was Distributed Through the Official Unity Website

Unity Technologies, the video-game software company, has disclosed a data breach involving malicious code on the website of its SpeedTree toolkit, which stole confidential information from hundreds of customers.

According to a notice filed with the Maine Attorney General’s Office, malicious code was active on the SpeedTree website’s checkout page between March 13 and August 26, 2025, compromising data from at least 428 customers.

The injected script was designed to harvest information entered during purchases, including names, addresses, email addresses, payment-card numbers, and CVV codes.

After discovering the malware, Unity took the website offline, removed the malicious code, and launched an internal investigation. The company has not disclosed how the breach occurred or how attackers gained access to the site.

All affected customers have been notified and offered free credit-monitoring and identity-theft protection services through Equifax.

Why It Matters

The incident highlights ongoing risks facing even reputable software vendors: supply-chain and web-skimming attacks that silently compromise checkout pages to steal payment information.
Unity’s disclosure underscores the growing trend of attackers targeting niche developer tools and plug-in marketplaces rather than consumer storefronts — exploiting trust in legitimate brand domains.