Wallpaper Engine Malware Alert: Malicious Files Found on Steam Workshop

Kaspersky identified malware spreading through the Steam Workshop via the Wallpaper Engine application on June 18, 2026. The security firm reported that malicious actors uploaded infected wallpapers, exposing users to PC malware and potential account theft.

Wallpaper Engine, an application with approximately 20 million downloads, serves as a delivery vector for these threats because it allows users to download community-created content. According to Securelist, the research arm of Kaspersky, several malicious wallpapers were discovered on the Steam Workshop, some of which had been downloaded thousands of times before detection.

How does the malware spread through the Steam Workshop?

The malware utilizes the Steam Workshop’s community-led distribution model. Users upload custom wallpapers that other players can download and apply to their desktops. Attackers embed malicious code within these assets, which then executes on the victim’s system upon installation.

Windows Central reports that Wallpaper Engine spread this malware unwillingly. The application itself is not the source of the malicious code, but its reliance on user-generated content creates a vulnerability that attackers can exploit. This allows the malware to bypass traditional software installation warnings since the content is delivered through a trusted platform like Steam.

What are the risks to Steam users?

The primary risks involve the compromise of the user’s local system and their digital identity. Securelist warns that these infections can put gamers’ accounts at risk, potentially leading to the theft of login credentials or session tokens.

According to PC Gamer, the scale of the threat is amplified by the popularity of the specific infected files. When a malicious wallpaper gains popularity and is downloaded thousands of times, the surface area for the attack grows rapidly before security researchers or platform moderators can intervene.

How does this differ from traditional software vulnerabilities?

This incident highlights a contrast between software bugs and platform abuse. Traditional vulnerabilities usually involve a flaw in the application’s code that an attacker exploits. In this case, the “vulnerability” is the intended functionality of the Steam Workshop.

While Windows Central frames the spread as an accidental byproduct of a community feature, Kaspersky’s reporting focuses on the active exploitation of user trust. This mirrors a broader trend in cybersecurity where attackers target “trusted” third-party repositories—such as npm for JavaScript or PyPI for Python—to distribute malware through legitimate channels.

The consequence for the user is a breakdown in the assumed safety of the Steam ecosystem. Users often treat the Workshop as a curated environment, but the volume of uploads makes manual verification of every file difficult for Valve or the app developers.

What happens next for Wallpaper Engine users?

Users are advised to be cautious of community uploads, even those with high download counts. Because the malware was distributed via the Workshop, the most effective immediate defense is the removal of suspicious assets and the use of updated antivirus software to scan for the specific signatures identified by Kaspersky.

MakeUseOf notes that the incident underscores the risk inherent in any app that allows the execution of community-provided scripts or assets. Future mitigations may require more stringent sandboxing of community content to prevent wallpapers from accessing sensitive system files or account data.