I worked on BeamMP[0][1], for 5 years, both as a project manager and lead developer for the server and client. BeamMP is a wildly popular multiplayer mod for BeamNG (1M registered players, always at least 3k concurrent players, also it's AGPL licensed). I left the team this year, but I can tell you: Mods, if they manage to break the sandbox in any way, can do <i>anything</i>, and the BeamNG sandbox will never be perfect. To their credit, the BeamNG devs have hired people from the community who do a lot of security research, and they have found numerous issues and fixed them before they could be exploited.<p>We have seen prototypes that can make network requests out of the sandbox, call winapi functions, and do anything else with the same privileges as the game, which, worst case, is admin because players like running things as administrator. All of <i>those</i> exploits are fixed, now.<p>The issue remains one of the largest problems in the community, and sites that are well known for distributing mods with malware (which is pretty common) are at the top of Google search results.<p>BeamMP allows mods on servers, which causes clients to download and then execute code from those mods. That's a huge attack vector and BeamMP has been working hard to warn users and to come up with ways to prevent problems; but without funding (BeamMP is free) there is a limit on what can be done. The infrastructure costs already are sky high for supporting the crazy amount of users they have.<p>Sadly, everyone involved loves NDAs - I can only hope that companies start doing writeups, but I doubt it. So that's all the inside info I can give ;)<p>[0] <a href="https://beammp.com" rel="nofollow">https://beammp.com</a><p>[1] <a href="https://GitHub.com/BeamMP">https://GitHub.com/BeamMP</a>