If you used Cities: Skylines mods from a user known as Chaos or Holy Water, it's probably worth unsubscribing from them, as a post on the Cities: Skylines subreddit (opens in new tab) explains.
Chaos uploaded a redesigned version of Harmony (a patching library originally created for RimWorld that is now a framework relied on by the modding communities of several games), following that with redesigned versions of other mods like Network Extensions and Traffic Manager that required Harmony (Redesigned) also be installed. And that's apparently where the trouble began.
As a community moderator told the NME (opens in new tab), one of the Chaos mods would set off fake error messages when it detected the original version of Harmony was running as a way of encouraging players to download Harmony (Redesigned). That mod, they went on to explain, contained an automatic updater that could, if players ran the game as an administrator, be used to remotely install "keyloggers, viruses, bitcoin mining software—literally anything."
The mod also blocked access from Steam IDs belonging to other modders, well-known community members, and employees of developer Colossal Order, supposedly as a way of preventing its code from being examined. "What's been implemented would let him cryptolock a bunch of machines, create a botnet (and DDoS his enemies?) or mine cryptocurrency," the NME's source added.
Valve had previously banned Chaos from Steam for doxxing members of the Cities: Skyline community, but he returned under the name Holy Water. That account has now been banned as well, and several of the mods removed from the Steam Workshop—though not all of them. The Reddit post (opens in new tab) includes an up-to-date list, as well as a guide to safely uninstalling and replacing the mods.
Chaos has since returned to Steam a third time, and is now claiming to be the victim of a hate campaign organized by a Colossal Order community manager he calls the "Queen of the Trolls". He also says he found a keylogger built into Cities: Skylines that is "exfiltrating your data to Paradox Online Publishing Services".