My friend receive a message with heavily altered Steam URL to claim a gift and 10 dollars dissaperar from my account

[flashgordo7]

I downloaded the program again from this repository. Everything was going fine, farming trading cards without any problems. Out of nowhere, my balance dropped to 1 cent overnight. I checked my purchases and transactions, and I saw sales and purchases of items in the market. I thought it might be due to the trading bot, and that seemed fine. However, yesterday, a friend of mine received a message from me with a suspicious link that had a heavily altered Steam URL to claim a gift. I hope this gets resolved soon. Someone unscrupulous is using this application for malicious purposes. I've lost $10 from my account and now have a program I can’t trust.

[Rudokhvist]

Yes, sure, Archi made a program that works fine for 3 million users just to steal $10 from you. Why do you even assume that this happened because of ASF?

[flashgordo7]

This is the only program to which I’ve granted access to my Steam account, the only one I’ve provided with the 2FA code, and the only one that has an access token. Additionally, I don’t think I’m the only one who has experienced issues related to this. You should consider it as a potential vulnerability. I’m sure others have encountered something similar. I’m sharing this so you can review the program’s source code.

Explain to me, then, why, with ASF being the only program with access to my account, I start using it and encounter these anomalies.

Here is a link and the title of a post that explains how a method exploits a bug in ASF to steal inventory:

Article Title: Beware of unknown method which steal inventory through ASF IPC (on VPS)
https://steamcommunity.com/groups/archiasf/discussions/6/3057365873428498659/

Link to the bug description and patched version of ASF:
GHSA-wxx4-66c2-vj2v

Thank you.

[JustArchi]

You've mentioned a bug that I've fixed over 3 years ago, and that bug required very specific environment connected to the internet with IPC, not just launching ASF locally as most of the people do. Unless you're running 3+ years old ASF version connected directly to the internet, you're not vulnerable.

[JustArchi]

To give official statement, no, ASF is not a cause of your situation - this mostly happens when you put your details into a phishing site. It doesn't have to happen on the same day, scammers usually set up access to your account and wait for convenient moment to execute action - usually when you're away or likewise.

See https://github.com/JustArchiNET/ArchiSteamFarm/wiki/Extended-FAQ#right-after-launching-asf-ive-lost-all-my-accountsitemsfriends when I explain it in more detail, especially:

Statistically speaking, regardless how sad it is, it's guaranteed that shortly after launching ASF there will be at least one guy who will die in a car accident. The difference is that nobody sane will blame ASF for causing it, but for some reason there are people who will accuse ASF of the same just because it happened to their Steam accounts instead. Of course we can understand the reasoning for that, after all ASF operates within Steam platform, so naturally people will accuse ASF of everything that happened to their Steam-related property regardless of lack of any evidence that the software they ran is even remotely connected with that whatsoever.

Completely irrelevant of the above, ask yourself how likely it is that out of 3+ million of accounts using ASF, with people having hundreds of thousands of dollars on them, I'd personally target you with my program to steal $10 out of your account.

[flashgordo7]

Today i have uploaded the .exe to VirusTotal has 1 alert as Malware and the sandbox Yomi too

https://www.virustotal.com/gui/file/45fa9e56116373a1641bda580f8df052a2e58a5503a8a5e230804725e39ceb69/behavior

[Rudokhvist]

https://github.com/JustArchiNET/ArchiSteamFarm/wiki/FAQ#asf-is-being-detected-as-a-malware-by-my-antivirus-whats-going-on

[Abrynos]

I've never heard of "Yomi Hunter", but a quick google search yielded a few results and it seems to have a pretty bad reputation including comments such as "it flags every single .exe it doesn't yet know as a virus"

[flashgordo7]

[Rudokhvist]

Ok, you've got us. It's a malware that Archi made 10 years ago specifically to scam you and only you. Please, for your safety, remove it from your PC and never install it again.

[flashgordo7]

I am merely reporting something that happened so the person in charge of this can rule out a potential vulnerability. That’s why I’ve communicated it only here. However, based on the response you’re giving, it says a lot about the kind of treatment you provide to your users. And yes, I did it after being told, but I had already removed it from my computer beforehand—there was no need for you to tell me. Oh, and I will inform others not to install it either, as the technical support has not been very friendly. Thank you.

[flashgordo7]

I appreciate that you have responded, but I want to make something very clear: I am not a developer nor am I here to take responsibility for fixing bugs in your software. While I am a 'user', it does not mean that I should be burdened with vulnerability research or the responsibility of testing the integrity of your code. That is your job as developers and project managers, not mine.

As users, we have the right to point out problems and report what we perceive as flaws. My report on the obfuscated code detected by VirusTotal is not an unfounded accusation, but a legitimate concern that should be taken seriously. I am not here to take on the burden of technical proof or to do their job, much less to be disqualified or ridiculed for pointing out something that could pose a risk to the security of user accounts. If your software has vulnerabilities, it is up to you to fix them, not us who use them.

Also, I would like to remind you that even though ASF is a free and open source project, that does not absolve you of the responsibility to treat users with respect and to provide professional and technical responses. The dismissive and sarcastic attitude you have shown so far only reflects a contempt for those who contribute to the growth of your community.

Finally, I do not accept that you continue to treat me as if I am responsible for something that is not my responsibility. I am not a member of the team to correct your failures, and your behavior only causes further loss of confidence in the project. If your approach continues to be to disqualify users and evade responsibility, you will lose much more than a report: you will lose the respect of your community.

I hope they will come to their senses and provide a technical, professional and, above all, respectful response.

[Rudokhvist]

Answer to the false positive on one faulty tool on VirusTotal in a technical, professional, and respectful manner is explained in FAQ, I gave you the link above.
Difference between coincidence and consequence in a technical, professianl, and respectful manner is explained in Extended FAQ, Archi gave you the link above.
If you've had a tiniest bit of respect to our work and time we spend on support, you would read FAQ before creating unfounded accusation post here. So don't be surprised you are treated in appropriate way.

I hope that you will come to your senses and start reading and thinking before writing.

[flashgordo7]

It appears that they continue to shy away from a technical and professional response to the legitimate concerns I have raised, and are focusing on disqualifying my report rather than addressing the actual problem. They have directed me to the FAQ and Extended FAQ, but that doesn't change the fact that as the developers of this project, they have a responsibility to investigate any possible vulnerabilities reported and provide a detailed and transparent response.

However, beyond the FAQ, I want to point out something you seem to have overlooked: the behavior you have displayed in these responses may be in violation of GitHub's Code of Conduct, which calls for respectful and professional treatment of users and community members. Your sarcastic attitude and the manner in which you have responded to my concerns are not only inappropriate, but also damaging to trust in the project. GitHub has a clear standard of behavior that you must follow, and if you continue with this approach, I will be obligated to report this situation as a violation of that code.

If they truly value their community and their work, they should reflect on how they are treating users who are simply looking for clear and safe answers. I am not responsible for investigating bugs in the software you develop yourselves. I demand a real technical answer, no more evasions and disqualifications that only show a lack of professionalism.

[flashgordo7]

I have noticed that you have closed the issue without adequately addressing or responding to my concern. This not only demonstrates a lack of seriousness in addressing the reported problems, but also ignores the legitimate concerns I have raised.

Simply addressing the FAQ without a concrete technical response solves nothing. If you are closing the topic to avoid serious discussion, I must remind you that, as developers of a public project on GitHub, you are bound by the platform's Code of Conduct, which requires respectful and professional interaction at all times. This evasive and dismissive behavior is a violation of those principles.

I demand that the issue be reopened and a technical response provided that addresses the safety concerns I have outlined. If the behavior continues, I will be forced to report this incident as a violation of the GitHub Code of Conduct.

[Rudokhvist]

You got your clear and safe answer at once - you issue is NOT connected to ASF in any way. If you want answer - that's it. If you want to prove it's a wrong answer - go on and prove it.

[JustArchi]

I have pointed out specific concerns, such as the detection of obfuscated code by tools like VirusTotal

Your "concern" is entirely invalid. First of all, that's not obfuscation, that's packing, something your own screenshot tells - indicator_packed. Packing is a process of merging several different assemblies into one output, which is precisely what your win-x64 analyzed exe is. If you run the same detection engine against ArchiSteamFarm.dll from generic package, then you'll no longer find such trace. You could ask why your VT report states so, and I'd explain it to you, but you instead jumped to accusations with zero technical knowledge what your VT report even says, and accused ASF of doing something that it does not. That's attacking open-source software and people behind it, as you also imply indirectly that people in charge of it - that's me, put whether intentionally or by omission malicious code into the project, which is entirely false accusation.

If ASF is not responsible, as you claim, prove it with clear facts and professional support

What you're asking for is impossible. In order to prove that software is responsible, you can point out exact code line, block of code, library or any other embedded resource that is causing your issue. You, instead, expect proof that software is not responsible, and the only way for proving that, is analyzing whole ASF source code and determining that based on lack of any evidence that points to such malicious behaviour, which I've already done as a maintainer and main contributor to the project, since as stated in the FAQ I already linked to you, ASF is free of malware and similar behaviour. That's not a statement made to dismiss the case, that's a statement made based on my technical knowledge and best intentions, a statement you're of course free to object to, but in order to prove it being invalid you are in charge of pointing out exact behaviour that leads to your malicious situation, not me making up some undeniable proof that it's truly the case - because such proof doesn't exist.

that doesn't change the fact that as the developers of this project, they have a responsibility to investigate any possible vulnerabilities reported and provide a detailed and transparent response

That's also entirely false. The license of ASF software clearly states that:

   7. Disclaimer of Warranty. Unless required by applicable law or
      agreed to in writing, Licensor provides the Work (and each
      Contributor provides its Contributions) on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
      implied, including, without limitation, any warranties or conditions
      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
      PARTICULAR PURPOSE. You are solely responsible for determining the
      appropriateness of using or redistributing the Work and assume any
      risks associated with Your exercise of permissions under this License.

   8. Limitation of Liability. In no event and under no legal theory,
      whether in tort (including negligence), contract, or otherwise,
      unless required by applicable law (such as deliberate and grossly
      negligent acts) or agreed to in writing, shall any Contributor be
      liable to You for damages, including any direct, indirect, special,
      incidental, or consequential damages of any character arising as a
      result of this License or out of the use or inability to use the
      Work (including but not limited to damages for loss of goodwill,
      work stoppage, computer failure or malfunction, or any and all
      other commercial damages or losses), even if such Contributor
      has been advised of the possibility of such damages.

You're using this software at your own risk and you can't demand anything from anybody, especially contributors, maintainers and other people involved in the project.

I have noticed that you have closed the issue without adequately addressing or responding to my concern.

Your concern was addressed fully, just because you don't agree with it doesn't change the fact that you got professional and concrete reply to your concerns, even though nobody here is obligated to give you that, since I could as well ignore your issue entirely and close it without a response.

If you have actual reproduction steps or any meaningful input that could hint me or any other contributor into the loophole or other code misbehaviour that can be corrected, as stated in contributing guidelines, you're more than welcome to do so. Stating "ASF is malware", showing VT report that confirms OS-specific packages are packaged as single-file executables (because, guess what, that's their purpose, as explained in compatibility wiki section), without any additional input renders looking for your issue impossible, as you didn't even isolate the case properly, let alone found the exact misbehaviour that causes your issue.

Also note that I'm in charge of the project, not other people you've been talking with above. Even despite of that, I didn't find their comments as violating ASF's code of conduct, nobody here attacks you personally, merely proving that you're wrong, and it's normal that people take it personally if you attack them or their work, which you do by accusing ASF of your loss.

You're free to report your "concern" to GitHub if that makes your day any better, you're also welcome to refrain from using my software in the future if you believe it's malicious, and I'd suggest you doing that since you seem completely lost in terms of your account safety, so only losing your digital property again without using ASF can spark some idea in your head that perhaps your accusations were wrong to begin with. After all that seems to be the "proof" you're looking for.

Further discussion is moot, there is nothing you neither me can add to this case, apart from personal attacks and repeating the same arguments again, which does not move this discussion any further.