If you play CS:GO, Half-Life, Team Fortress 2, or Left 4 Dead, you might want to be careful if you receive a Steam invitation.

because it appears that the Source engine in some games, including CS:GO, contains a vulnerability that could allow cybercriminals to send malware via Valve's popular gaming platform. To make matters worse, Valve has apparently known about this flaw for two years and has yet to fix it.

This information comes from BleepingComputer, a security news site focused on viruses, malware, ransomware, and similar threats.

The story of the Steam invite malware began two years ago when the security research team "Secret Club" reported on Twitter that they had discovered a bug in the Source engine. [This prominent game engine powers titles such as Counter-Strike: Global Offensive (CS:GO), Left 4 Dead 2, and even Portal, among many others The number of people playing Source games on Steam is always in the millions

Seeklet.

The Secret Club stated that it went through all the appropriate channels. Florian, a member of the Secret Club, submitted the vulnerability to Valve's bug bounty program and was rewarded for his efforts and promised to fix the Source code. However, two years later, and as of the latest patch for CS: GO, the problem still exists.

The bad news is that if you are looking for ways to protect yourself, there is no way to do so except to avoid Source engine games altogether. However, that is not realistic, given that these games are among the most popular multiplayer titles on Steam.

Here's how the potential exploit works: an unsuspecting user logs into Steam and starts playing CS:GO (or an equivalent game). The cybercriminal then sends the user a Steam invitation filled with malicious code.

This code takes advantage of a vulnerability in the Source engine, which allows cybercriminals to inject additional code into the user's PC. From there, they can install malware, incorporate the computer into a cryptocurrency mining botnet, install keyloggers, and all the other standard tactics of malicious hackers.

The good news, however, is that Florian is being deliberately vague about the exact details of the vulnerability. As far as we know, no one has ever taken advantage of this vulnerability, and it is probably too obscure and complex for most hackers.

Strictly speaking, Valve has not forbidden Florian from discussing the flaw in detail. At this point, not knowing how the vulnerability works may be the only way to keep CS:GO players safe.

Valve did not respond to BleepingComputer's request for additional details; Tom's Guide has also reached out to Valve for comment and will update this article when we hear back.

No one knows if a patch for the Source engine is just around the corner or still years away. For now, CS:GO players should invest in the best Windows 10 antivirus software available.