Researchers have found malicious Wallpaper Engine downloads distributed through Steam Workshop, and they’re not just trying to make your screen look weird.

According to Decrypt, the infected downloads deliver more than one payload. The report says the malware acts as an infostealer, installs a backdoor, and includes account-hijacking components. In other words, it aims to take data first, then keep access.

How it shows up on Steam

This is the core problem. Steam Workshop is designed for user-submitted content. Decrypt reports that the bad Wallpaper Engine content was packaged in downloads associated with Wallpaper Engine, then shared through the Workshop distribution channel.

That means the attack path does not require a browser exploit or a credential-theft lure on a random website. It starts with installing what looks like normal wallpaper content for a desktop app.

What the malware is trying to do

Decrypt’s account is direct about intent. The malicious downloads distribute:

  • Infostealers that target information stored on the device.
  • Backdoors that can enable continued control after initial compromise.
  • Account-hijacking malware that targets online access tied to the compromised user.

That combination is common in credential-driven intrusion chains. If your machine gets a foothold and then the attacker can reach accounts, the damage expands fast.

Why “wallpaper” matters

A wallpaper app sounds harmless. Wallpaper Engine is also popular, which increases the blast radius of any supply-chain style content compromise.

For users, the practical takeaway is boring but important. Decrypt’s finding frames this as distribution through a mainstream platform, not as an exotic exploit. If malicious files can ride along with Workshop downloads, every new install becomes a security decision.

What defenders should do now

Decrypt’s source text is brief, so there are unanswered questions. The report excerpt doesn’t include specifics like which Steam accounts were hit, whether wallet credentials or session tokens were targeted, or which detection signals exist.

Still, the event suggests basic containment steps for anyone who installed suspicious Workshop content tied to Wallpaper Engine:

  1. Stop using the specific wallpaper download tied to the incident.
  2. Run a malware scan with reputable tooling and consider a full device scan.
  3. Review account security for any sign of unusual logins or changes.
  4. Assume credentials may be exposed if infostealers were involved, even if the compromise timeline is unclear.

The unanswered questions security readers will want

Decrypt’s report summary does not spell out whether the malicious content is still live on Workshop, how widespread the infection is, or how researchers confirmed the backdoor and hijacking behaviors.

It also doesn’t clarify whether Steam itself flagged and removed the content after discovery, or whether the defense was limited to user education and investigation.

Those gaps matter. The difference between a one-off sample and an active campaign changes how urgent the response is.

If you want the clean version of what’s confirmed from Decrypt, it’s this: researchers found malicious Wallpaper Engine downloads on Steam Workshop that distribute infostealers, backdoors, and account-hijacking malware.