Gamers are accusing a company that makes mods for Microsoft’s Flight Simulator X game of putting a password stealer inside one of its add-ons.

The company defended its decision by saying the tool works as part of a Digital Rights Management (DRM) platform and only activates when users are using a pirated copy of their mod.

The company at the heart of this controversy is Flight Sim Labs, and the mod that got everyone talking is A320-X, a $100 add-on for Microsoft’s Flight Simulator X that allows users to pilot Airbus A320 airplanes.

Mod included Chrome password dumper

According to a Reddit user named crankyrecursion, the recent version of this mod (FSLabs_A320X_P3D_v2.0.1.231.exe) included a file named test.exe that was a renamed version of an application named “Chrome Password Dump,” sold by SecurityXploded.

This tool is a command-line application that extracts passwords from Chrome’s internal database, as advertised by SecurityXploded and verified by many users, such as Luke Gorman and the team at Fidus Security.

test.exe file executed

The presence of such tool in a game mod alarmed users, most fearing the mod maker might have been hacked, and someone hid the tool inside the mod’s installer, hoping nobody would notice.

Password dumper supposedly activates only for “pirates”

But instead of denouncing any claims of getting hacked, things took a weird turn when Lefteris Kalamaras, the mod-making company’s CEO, accused the Reddit user of being a pirate.

According to a post on the company’s support forums, Kalamaras explained that the Chrome Password Dump tool was added to the A320-X mod intentionally.

Kalamaras says the…