Update 2 (1 am ET, April 23): Valve has now also addressed the leak as it pertains to Team Fortress 2, with a series of tweets relating a similar message: It will continue to investigate, but has "not found any reason for TF2 players to be alarmed or avoid the current builds."
From our review, we have not found any reason for TF2 players to be alarmed or avoid the current builds (as always, playing on the official servers is recommended for greatest security).April 23, 2020
https://t.co/Bz4QD3z5cbApril 23, 2020
Update: Valve says it has reviewed the code in question—which comes from CS:GO, but includes very old pieces of Team Fortress 2—and does not consider it dangerous. However, it will "continue to investigate." Here's the full statement Valve sent to PC Gamer:
"We have reviewed the leaked code and believe it to be a reposting of a limited CS:GO engine code depot released to partners in late 2017, and originally leaked in 2018. From this review, we have not found any reason for players to be alarmed or avoid the current builds (as always, playing on the official servers is recommended for greatest security).
"We will continue to investigate the situation and will update news outlets and players if we find anything to prove otherwise. In the meantime, if anyone has more information about the leak, the Valve security page (https://www.valvesoftware.com/en/security) describes how best to report that information."
A similar message was shared via the official CS:GO Twitter feed:
We have reviewed the leaked code and believe it to be a reposting of a limited CS:GO engine code depot released to partners in late 2017, and originally leaked in 2018. From this review, we have not found any reason for players to be alarmed or avoid the current builds.April 22, 2020
The source of the leak isn't currently certain, but according to SteamDB the code is dated from 2017-18, and was previously made available to Source engine licensees.
Source code for both CS:GO and TF2 dated 2017/2018 that was made available to Source engine licencees was leaked to the public today. pic.twitter.com/qWEQGbq9Y6April 22, 2020
Valve News Network's Tyler McVicker, who regularly reports on leaks and rumors at Valve, claimed in a Twitch stream that the code originally came from a "member of the Source engine development community" in 2018. According to McVicker, members of Source Engine modding team Lever Softworks took steps to "contain" the leak after he warned Valve and received no response. The person who leaked the code today was not the same person who originally leaked it, he said, but a disgruntled former member of Lever who had recently been booted from the group.
"I did not leak this source code, and in fact I never had it," said McVicker. "I was very aware of it, and in fact the warning signs of the original leak—it was very apparent, and then it did leak sometime in late 2018, and then my little group of Source Engine developers, all on this Lever Softworks Discord server, were discussing the leak and how to contain it, how to keep it from hitting critical mass.
"Because unfortunately if it had hit critical mass, it wouldn't really hurt any one individual in particular. It would hurt the Source engine development community as a whole, because if Source code leaks, Valve then pulls the ability to have that source code to develop off of."
In a follow-up conversation, McVicker told us that the leaked content did not originate with his group at all. "We have learned that the person who leaked it to 4chan didn't even get the code from anyone associated with me, they got it from a completely different person," he said. "We went and looked back, because we have records of everything, and we did not give this person anything."
Instead, he repeated his statement that he and a few other modders had tried to keep the word of the leak restricted to a few "niche" communities on the modding scene. It was a largely successful effort, until a falling-out with the current leaker led to today's events.
"I never had access to [the leaked source code] and I never wanted access to it," he said. "I didn't want to touch it at all, because I didn't want to be associated with it. I was trying to keep it from leaking because if something of this magnitude leaks, it will hurt many legitimate developers, and it will destroy many communities. And unfortunately the damage is now done, and the real people that are going to hurt here are Source Engine developers."
The one upside McVicker sees is that this leak isn't really "new" at all, and so the risk to players hopefully isn't anywhere near a worst-case scenario. "This stuff already leaked two years ago, and anybody that was deep within the community, or anybody that knew the engine enough, understood that the code was out there already," he said. "So the really professional nefarious bad actors likely already had access to this code."
McVicker did not identify the original "Source engine development community" leaker he references, nor today's leaker. However, his story is backed up by fellow Valve enthusiast Jaycie Erysdren, who explained the story from her perspective on Twitter.
There's still some uncertainty around the source of the leak, but the more immediate issue is the reported discovery of remote code execution bugs in the source code, noted in this TF2 subreddit thread. If such a vulnerability existed, unscrupulous programmers could use to compromise the security of TF2 and CS:GO players. Remote code execution is what it sounds like: the ability to make someone else's PC execute code or commands remotely.
"Allegedly, a remote code execution exploit that could be used to run malicious code on your client has already been discovered and many more of that kind are likely to come," a notification on the official Red Sun Discord says. "I recommend you not to play the game at all on online servers until Valve themselves gives us the clear."
Due to the recent source code leak we will be closing our servers for the forseeable future. This is because of the uncertainty surrounding security of our infrastructure, as well as a potential for damage to be caused to your computer.https://t.co/gWcIKRMPdjApril 22, 2020
(Note: No new vulnerabilities have been confirmed at this time. See the update at the top of this article for Valve's response, which is that it has "not found any reason for players to be alarmed or avoid the current builds.")
This wouldn't be the first time that an RCE bug has been found in Source Engine games. In 2017, a "buffer overflow vulnerability" was discovered that left TF2, CS:GO, Portal 2, and others open to exploits that could be triggered simply by shooting at an enemy. In that case, however, the bug was found by a security research company, which notified Valve and then went public after the bug was fixed. The current leak could reveal new RCEs before Valve has a chance to correct them.
McVicker says in his video that he's provided all the information he has to Valve's legal team.