Seeing several people reporting this morning that Webfishing has a vulnerability that’s being exploited by a bad actor known as “the Grincher”.

Based on reports I’ve seen so far, this person has allegedly figured out how to enter lobbies even if made private. The person then sends a block of spam in-game mail to the players in the lobby that contains an alleged HTML payload that executes when opened. This allows the “Grincher” to acquire client IP addresses and (potentially, based on reports) bruteforce login attempts to the user’s Steam account to lock it out.

Most users who are reporting issues are either streamers/v-tubers or adjacent to streamers/v-tubers who have been streaming the game recently on Twitch and related platforms.

The developer, @westthewerst, has stated (as of 8:30 AM EST today) that they are well aware of the letter/mail crashing issue and the issue of others joining code-protected (private) lobbies. They announced an upcoming patch that pledges to resolve the issues at hand. West is also seeking any proof of IP stealing/spoofing that has resulted from the exploits, as no concrete proof has been offered as of this writing.

tl;dr - Webfishing has a few bugs that need to be patched before the game is truly “safe” to play online with others, but those fixes appear to be in the works.