Valve Must Fix Steam’s Security Failures
The Chemia malware incident exposes how weak Steam’s oversight has become. Valve’s silence and lax review process put users at risk - and that needs to change.
Valve has a security problem, and it’s no longer something it can ignore. The recent discovery that the game Chemia, available through Steam’s Early Access program, was secretly spreading malware is more than just a red flag. It’s a flashing siren warning us that Steam’s system is broken - and users are being left exposed.
It’s not just that Chemia had malware. It’s how easily it happened, how quietly Valve removed the game, and how completely absent the company has been in offering any explanation or help to those who downloaded it. If Valve wants to keep calling Steam a safe and trusted platform, it needs to start acting like it. Right now, it’s failing.
Valve Must Fix Steam’s Security Failures
Steam’s Early Access Is a Security Loophole
Let’s be blunt: Steam’s Early Access section is a vulnerability. Valve uses it as a way to let indie developers test unfinished games in the wild, which sounds good in theory. But in practice, it’s become a blind spot - one that hackers are already exploiting.
Chemia is the third Early Access game this year caught distributing malware. Before it, there was Sniper: Phantom’s Resolution and PirateFi. All slipped through Steam’s process. All were allowed onto the platform without being properly scanned. That’s not an accident - it’s a pattern.
Valve might argue that Early Access games are meant to be "buyer beware," but that’s not a defense when malware is involved. Users weren’t just downloading buggy games. They were unknowingly giving hackers access to their systems, including sensitive information like crypto wallet keys and browser passwords. That crosses a line - one that Valve should have been guarding.
Valve Must Fix Steam’s Security Failures
Valve’s Silence Is Irresponsible
Even worse than the breach itself is how Valve responded. Or rather, how it didn’t. There has been no public statement, no warning to players, no effort to help those who downloaded Chemia before it was removed. The game’s store page now just redirects to Steam’s homepage, as if nothing happened.
This lack of transparency is unacceptable. When a breach like this happens, the minimum responsibility of any platform is to inform its users. Instead, Valve quietly swept it under the rug. It looks like damage control, not damage prevention.
The company’s refusal to even acknowledge what happened sends the wrong message: that security breaches can be handled silently and that users don’t need to know when their data is at risk.
Valve Must Fix Steam’s Security Failures
The Threat Goes Beyond Steam
What’s more troubling is who was behind this attack. The malware was traced to EncryptHub, a hacking group also known as Larva-208, which has been linked to previous global phishing campaigns. This wasn’t some random virus accidentally bundled into a game. It was a coordinated attack designed to exploit trust in the Steam platform.
The malware didn’t just infect computers. It pulled instructions from Telegram channels, downloaded more harmful files from shady domains, and ran silently in the background to avoid detection. And yes - it specifically targeted crypto wallet data. Even though Chemia wasn’t a web3 game, its malware clearly had web3 users in mind.
That means the crossover between gaming and crypto is now officially on hackers' radar. Anyone with digital assets should think twice before downloading new games - even from trusted platforms.
Valve Must Fix Steam’s Security Failures
Steam Can’t Keep Pushing This Onto Users
Security experts are now telling people to scan their systems and check for signs of infection. And while that’s good advice, it also highlights the bigger issue: the burden is being shifted to users who had no reason to suspect anything was wrong in the first place.
Let’s be clear - it’s not the average gamer’s job to check game files for malware. It’s Valve’s. But right now, Steam isn’t just failing to prevent these attacks - it’s refusing to own up to them afterward. That’s a massive failure of leadership and responsibility. This approach is unsustainable. The more Valve treats security as someone else’s problem, the more it invites hackers to take advantage. And they will - because they already are.
Valve Has the Power to Fix This
Valve is not some small startup struggling with limited resources. It runs one of the largest digital gaming platforms in the world. It has the money, the talent, and the infrastructure to implement stronger safeguards, better detection systems, and a clear protocol for dealing with incidents like this.
There’s no excuse for allowing malware-laced games onto the platform in 2025. There’s no excuse for not informing users. And there’s definitely no excuse for pretending nothing happened.
Valve needs to clean up its Early Access program. It needs to introduce real-time malware scanning, audit developer uploads, and impose stricter rules for pushing updates to live games. It also needs to start being honest with its community when things go wrong.
This isn’t about perfection. It’s about taking responsibility.
About the author
Eliza Crichton-Stuart
Head of Operations
Updated:
August 2nd 2025
Posted:
August 2nd 2025
