Poiyomi, who is the developer behind what is widely regarded as the most popular and feature-rich VRChat shader ever created, has reportedly been the victim of a cybersecurity breach. Reports began circulating on April 13, 2026, with community watchdog account Pirat_Nation on Twitter alerting the VRChat creator community that the "Poiyomi Toon Shader" developer has been hacked.
The Poiyomi Discord server, which serves as the central hub for shader downloads, community support, and Pro subscriber access, has been locked down. All channels are closed while an active investigation is underway. Poiyomi Shaders sits at the foundation of avatar creation for tens of thousands of active VRChat creators, and a supply chain attack or package compromise could affect a significant portion of the entire VRChat avatar ecosystem.
"Until there is an official update, do not download, update, or install any Poiyomi packages β including anything available through the VRChat Creator Companion listings."
β Community advisory via Pirat_Nation on X, April 13, 2026
Poiyomi Shaders:
Poiyomi Shaders is a free, open-source, feature-rich shader for Unity's Built-In Rendering Pipeline, designed specifically for VRChat avatars and worlds. It supports multiple shading models, from realistic to toon, flat, and more - alongside sophisticated lighting controls, outline effects, AudioLink integration, Decals, RGBA Color Masking, Matcaps, Glitter, and dozens of other capabilities.
Its modular architecture that allows the shader to generate what is effectively a custom compiled shader per material upon avatar upload. This makes it one of the most performance-efficient and visually powerful tools in the VRChat content creation pipeline. Both a free public version and a paid Pro tier (via Patreon at $10/month) exist, distributed through GitHub, the VRChat Creator Companion (VCC), and the team's own Discord server.
The investigation is still actively ongoing, and no official post-incident report has been issued by Poiyomi or the VRChat team. Creators and users are strongly urged to remain on high alert and to monitor only official channels for updates. Do not rely on third-party reposts, unofficial Discord mirrors, or any download links not confirmed by verified Poiyomi staff members.
How This Could Have Happened?
The exact method of the Poiyomi security breach has not yet been publicly disclosed. However, cybersecurity patterns in the gaming and open-source tool space provide a clear framework for understanding this attack.
Developer accounts and distribution infrastructure are commonly targeted through credential theft, phishing attacks against team members, compromised API tokens, or unauthorized access to GitHub repositories or Discord bot permissions.
In cases where the attacker gains control of the distribution pipeline, whether that is a GitHub releases page, a VPM (VRChat Package Manager) repository, or a Discord server used to deliver packages, they can simply push malicious files that masquerade as legitimate shader updates.
The main problem for Poiyomi is that the shader's VRChat Creator Companion integration allows for one-click installs and automatic updates directly within a creator's Unity workflow. A compromised VCC package listing would be a highly effective delivery mechanism for any malicious payload, since creators routinely install updates without inspecting the contents.
What Users Should Do Right Now?
Questions:
- What are your thoughts on this situation?
- What else would you suggest on this problem?
Let me know in the comments, where you can also provide the latest news so I can make a breakdown of it.