Fenrir
Forum Admin
In the last several weeks, we have identified several accounts on the official OBS Studio forums that had become compromised as part of a coordinated attack. The accounts that were targeted were owners of plugin resources that were updated with malicious versions, in an attempt to exploit users of OBS for unknown reasons.
In our investigation, we have confirmed that these accounts were compromised with low-skill, password re-use attacks. What this means is that the account used the same email or account name, had that password leak elsewhere, and the same password was used on our forums. Based on our investigation, we do not believe any information or data from the forums was compromised or stolen and there was no breach of the forums themselves. No accounts are currently at direct risk, but we strongly urge all users to enable 2FA whenever possible, not just on our forums, but anywhere they have an online account.
Below is a list of all resources we identified as being replaced with malicious versions which have since been removed. If you have downloaded any of the following plugin versions from the forum, we strongly urge you to remove them immediately, and scan your PC for malware.
ClickSound
Versions: 2026-02-28, 1.0.1
Compromised Dates: Feb 27th 5:29PM PT - Feb 28th 5:15PM PT
SRBeep
Versions: 3.0.0, 3.0.1, 3.0.2, 3.0.3
Compromised Dates: Feb 8th 3:23PM PT - Feb 22nd 8:44AM PT
obs-websocket
Versions: 2026-02-28, 5.0.2
Compromised Dates: Feb 27th 8:22PM PT - Feb 28th 8:32AM PT
Only downloads of these plugins through the forum Resource section were affected. The version of obs-websocket bundled with OBS is not affected in any way.
Prior to this incident, new resource submissions on the forum were subject to manual approval. We have now also updated our process to require manual approval for resource updates as well. Additionally, we have implemented a new requirement that all accounts must enable 2FA to be able to post a new resource, or update an existing resource.
In our investigation, we have confirmed that these accounts were compromised with low-skill, password re-use attacks. What this means is that the account used the same email or account name, had that password leak elsewhere, and the same password was used on our forums. Based on our investigation, we do not believe any information or data from the forums was compromised or stolen and there was no breach of the forums themselves. No accounts are currently at direct risk, but we strongly urge all users to enable 2FA whenever possible, not just on our forums, but anywhere they have an online account.
Below is a list of all resources we identified as being replaced with malicious versions which have since been removed. If you have downloaded any of the following plugin versions from the forum, we strongly urge you to remove them immediately, and scan your PC for malware.
ClickSound
Versions: 2026-02-28, 1.0.1
Compromised Dates: Feb 27th 5:29PM PT - Feb 28th 5:15PM PT
SRBeep
Versions: 3.0.0, 3.0.1, 3.0.2, 3.0.3
Compromised Dates: Feb 8th 3:23PM PT - Feb 22nd 8:44AM PT
obs-websocket
Versions: 2026-02-28, 5.0.2
Compromised Dates: Feb 27th 8:22PM PT - Feb 28th 8:32AM PT
Only downloads of these plugins through the forum Resource section were affected. The version of obs-websocket bundled with OBS is not affected in any way.
Prior to this incident, new resource submissions on the forum were subject to manual approval. We have now also updated our process to require manual approval for resource updates as well. Additionally, we have implemented a new requirement that all accounts must enable 2FA to be able to post a new resource, or update an existing resource.