Valve, are you paying attention? While you’ve been preoccupied with moderating adult content and leaving fans waiting for a new Steam Deck refresh, something far more dangerous has been creeping into your storefront—actual malware. For the third time this year, a game on Steam has been caught delivering malicious software to unsuspecting users, and this time it may not be the work of scammers, but the result of a compromised developer.
Security firm Prodaft, via BleepingComputer, reports that the game Chemia—a post-apocalyptic crafting sim listed in Early Access—was injected with malware on July 22nd. Researchers say that two distinct spyware packages, HijackLoader and Fickle Stealer, were remotely added to the game’s download files. Unlike previous cases, where the entire game seemed to be a front for spreading malware, Chemia appears to have been a legitimate project that simply got hijacked, likely through stolen developer credentials.
Chemia is still available via Steam’s Playtest system, a feature that allows players to try pre-release games via an invite. The game hasn’t officially launched, has no reviews, and has likely reached only a small number of users—but the fact that malware was distributed through Steam at all, and through a real game, is deeply unsettling.
Earlier in 2025, Valve removed two other malware-infected games—PirateFi in February and Sniper: Phantom’s Resolution in March. Those titles were obvious fakes, designed from the ground up to act as delivery vehicles for malicious code. Chemia, by contrast, has been sitting on Steam for over a year. It was developed by Aether Forge Studios, a small team with no other known titles. All signs point to the studio’s Steam developer account being compromised, and malicious code being injected after the fact.
This latest breach calls into question Valve’s ability to monitor and protect its platform. With thousands of games being published each year, the company needs to reassess how it safeguards its ecosystem—not just from shady asset flips, but from genuine projects that can be weaponized post-launch. The line between “safe” and “infected” on Steam is beginning to blur—and users deserve better.