![How to signal im interested? [closed]](https://cdn.sstatic.net/Sites/interpersonal/Img/apple-touch-icon@2.png?v=17e836faa592)
.jpg?width=1920&height=1920&fit=bounds&quality=80&format=jpg&auto=webp#){kind=tracking}
-(1).png?width=1920&height=1920&fit=bounds&quality=80&format=jpg&auto=webp#)
Malware strikes again. I’m starting to worry about Steam’s lax security
Steam is, or at least it’s supposed to be, something of a walled garden. Like Apple’s App Store for iPhones or the various console game stores, items listed on the store are supposed to be safe, if not necessarily good. The implicitly carry Valve’s seal of approval. But a couple of recent instances of full-on malware being hidden in Steam games is starting to take the shine off. Back in February there was a free-to-play game that popped up on a Steam listing with stolen assets, spreading malware to downloaders that triggered antivirus and apparently managed to steal Microsoft and Steam login info. BleepingComputer reports on a similar incident just a few weeks later: A free demo (check) with a listing that had assets copied from another game (check) and apparently installed spyware (triple check). There’s an interesting wrinkle in the newer listing, which was labeled “Sniper: Phantom’s Resolution” before it was yanked off the store by Valve. Instead of offering the free demo via Steam’s distribution (you know, the entire point of being on Steam), the description instructed would-be players to download the demo on GitHub. The link sent them to a download that brazenly installed cookie interceptors and Node.js scripts, apparently intended to evade Windows security and send personal info elsewhere. The GitHub pages and associated accounts have also been nuked from orbit. PC gaming has never been more popular, and Steam is the de facto gatekeeper for the platform, with over 40 million concurrent players logged in at peak times. It’s also an incredibly huge system, with almost 20,000 new games added last year alone. That makes the Steam store both a tempting target and an easy crowd to get lost in if you’re trying to distribute malware. Now, I’m certain that Valve has security measures in place. They’d be foolish not to. In 2023 the company augmented its Steam Guard authentication system on the developer side as well as the user side. And I’m betting that the “download the demo on Github” gamble was used specifically to avoid loading up these phony installer files on Steam’s servers and getting them flagged by an automated security system. But Valve is not Google or Apple, and it was reported in 2021 that there were less than 100 people working on Steam. That might be quite a few more now that it broadly includes the OS that powers the Steam Deck, but we’re talking about a huge amount of users, software, and updates to monitor. To be frank: I think it’s time to start treating Steam downloads with the same kind of wariness you employ (or at least, you should employ) for software downloads on the wide-open web. If you see a download link on a confirmed Microsoft site, it’s probably fine. But a free demo from someone you’ve never heard of? Maaaaybe do a bit of research first, or load it up in a safe sandbox. And I’m not saying that every single download from Steam needs that kind of scrutiny. If you’re updating a game you’ve been playing for years, or you’re pre-loading one from a well-established developer, it’s almost certainly safe, just because no one’s risking a good thing on a desperate malware play. But if you see a free-to-play game or a demo from a brand new developer, especially if it seems to be using copy-and-paste assets in the store page, you might just check around a bit before installing it.
Steam is, or at least it’s supposed to be, something of a walled garden. Like Apple’s App Store for iPhones or the various console game stores, items listed on the store are supposed to be safe, if not necessarily good. The implicitly carry Valve’s seal of approval. But a couple of recent instances of full-on malware being hidden in Steam games is starting to take the shine off.
Back in February there was a free-to-play game that popped up on a Steam listing with stolen assets, spreading malware to downloaders that triggered antivirus and apparently managed to steal Microsoft and Steam login info. BleepingComputer reports on a similar incident just a few weeks later: A free demo (check) with a listing that had assets copied from another game (check) and apparently installed spyware (triple check).
There’s an interesting wrinkle in the newer listing, which was labeled “Sniper: Phantom’s Resolution” before it was yanked off the store by Valve. Instead of offering the free demo via Steam’s distribution (you know, the entire point of being on Steam), the description instructed would-be players to download the demo on GitHub. The link sent them to a download that brazenly installed cookie interceptors and Node.js scripts, apparently intended to evade Windows security and send personal info elsewhere. The GitHub pages and associated accounts have also been nuked from orbit.
PC gaming has never been more popular, and Steam is the de facto gatekeeper for the platform, with over 40 million concurrent players logged in at peak times. It’s also an incredibly huge system, with almost 20,000 new games added last year alone. That makes the Steam store both a tempting target and an easy crowd to get lost in if you’re trying to distribute malware.
Now, I’m certain that Valve has security measures in place. They’d be foolish not to. In 2023 the company augmented its Steam Guard authentication system on the developer side as well as the user side. And I’m betting that the “download the demo on Github” gamble was used specifically to avoid loading up these phony installer files on Steam’s servers and getting them flagged by an automated security system.
But Valve is not Google or Apple, and it was reported in 2021 that there were less than 100 people working on Steam. That might be quite a few more now that it broadly includes the OS that powers the Steam Deck, but we’re talking about a huge amount of users, software, and updates to monitor.
To be frank: I think it’s time to start treating Steam downloads with the same kind of wariness you employ (or at least, you should employ) for software downloads on the wide-open web. If you see a download link on a confirmed Microsoft site, it’s probably fine. But a free demo from someone you’ve never heard of? Maaaaybe do a bit of research first, or load it up in a safe sandbox.
And I’m not saying that every single download from Steam needs that kind of scrutiny. If you’re updating a game you’ve been playing for years, or you’re pre-loading one from a well-established developer, it’s almost certainly safe, just because no one’s risking a good thing on a desperate malware play. But if you see a free-to-play game or a demo from a brand new developer, especially if it seems to be using copy-and-paste assets in the store page, you might just check around a bit before installing it.
