Here's the moral of the story:

Some Unity library is injecting a script tag into your game's HTML5 export page that looks legit but actually has layers of obfuscated code to let third-party inject any code they want into your game's page when it launches. https://twitter.com/moonscript/status/1245868730501844994

To make it even harder to detect, this code only activates some percentage of the time, and has some other obfuscated checks. Probably to make it hard for the developers to spot when they test their HTML5 build.

Unity developers probably don't think of themselves as web developers, and probably don't even consider that they could be injected malicious code into their players' browsers when they distribute their game.

Check your dependencies and third party scripts

Think of it from the perspective of the malicious person:

They make some Unity library that becomes popular. They sneak out an update that actually turns players of html5 games that use that library into malware download sites that they can profit from.

Got some more details: I don't think it's something installed from the Unity asset store. A link to a script added to the game years ago probably via a tutorial for use with JavaScript interop. The host the script was on was compromised at a later time leading to the malware page

Also, just noting I wasn't trying to blame Unity: All software development environments can be vulnerable stuff like this.

I want to emphasize that if your game engine exports to HTML5 then you also taking on any security implications that web developers also deal with.

If your system can dynamically load code at runtime then you're putting the security of your project in the hands of the host of that code.

In this case the dev was dynamically loading a script from host that was hacked, and that turned their game into malware.