The FBI is investigating what appears to be a coordinated malware campaign targeting Steam users, with federal investigators believing a single threat actor has been embedding malicious code inside video games published on Valve's platform over the past two years. The investigation marks a significant escalation in supply chain attacks targeting gaming platforms, which collectively reach hundreds of millions of users worldwide.
Federal investigators are tracking what they believe is a sophisticated, multi-year malware operation that's been hiding in plain sight on the world's largest PC gaming platform. The FBI's investigation into Steam centers on multiple video games published over the last two years that appear to have been deliberately weaponized by the same threat actor, according to TechCrunch.
The revelation raises serious questions about Valve's game vetting process and represents a troubling evolution in supply chain attacks. Instead of compromising enterprise software or development tools, this threat actor went straight for entertainment - embedding malicious payloads inside games downloaded by unsuspecting players. With Steam boasting over 120 million monthly active users, the potential exposure is massive.
While the FBI hasn't publicly disclosed which specific games were compromised or how many users may have been affected, the two-year timeline suggests this wasn't a one-off incident. The agency's belief that a single hacker orchestrated the entire campaign indicates a level of patience and operational security rarely seen outside nation-state operations. But the targeting of a consumer gaming platform points more toward financially motivated cybercrime than espionage.
The attack vector is particularly insidious. Gamers downloading titles from Steam generally trust the platform's security, much like smartphone users trust Apple's App Store or Google Play. That trust makes them less likely to scrutinize unexpected permission requests or unusual system behavior during gameplay. For an infostealer-type malware, which quietly harvests credentials, browser cookies, and cryptocurrency wallets, that's the perfect cover.
