That free indie platformer you grabbed on Steam last summer might have been mining your passwords while you chased high scores.
The FBI Seattle Field Office is investigating seven low-profile Steam releases—BlockBlasters, Chemia, Dashverse/DashFPS, Lampy, Lunara, PirateFi, Tokenova—after confirming they carried info-stealing malware between May 2024 and January 2026.
According to the bureau, the games looked perfectly legitimate, ran silently in the background, and relied on tiny player bases to stay unnoticed before their publishers yanked them offline.
Once installed, the hidden payload scoops up browser-stored credentials, authentication cookies, Steam and Discord tokens, crypto-wallet data, and basic system fingerprints.
The cookie theft is the sneaky part: if you’ve told your browser to remember your login, that cookie can sometimes sidestep two-factor checks and let an attacker waltz straight into your other accounts.
Because Steam’s indie door is basically propped open—anyone with a $100 fee and a Unity build can ship a game—these titles slipped past Valve’s automated checks. Most buyers never left reviews, so the malware sat undetected for months until a few sharp-eyed players noticed antivirus alerts and tipped off the feds.
The FBI is now asking anyone who installed the listed games to:
- Uninstall the program
- Run a full malware scan
- Rotate every stored password
- Drop details into a new victim portal
Security vendors such as Bitdefender recommend keeping real-time behavioral monitoring switched on even for downloads that come from “trusted” storefronts. Translation: treat every new indie launch like a USB stick you found in the parking lot.
Look, Steam is still safer than most random download sites, but this episode is a blunt reminder that “available on Steam” is not the same as “audited for backdoors.” If a game has no reviews, no forum chatter, and promises retro pixel nostalgia, maybe scroll past until someone else has taken the malware bullet for you.
Source: Bitdefender