This thread is due to experience in this site, leading to my thread where I will post any offending profiles and evidence.
https://itch.io/t/700501/malware-accounts-to-be-removed
1) These packages were obvious malware even before inspection, due to several reasons.
Age of games, size of distro, text saying these big name demos are exclusive to itch, and the nature of the shiny tempting bait.
Lets just say, everything about it made my spidey-sense hit me round the head with giant alarms, whistles, gongs and klaxons.
2) Using VT corroborates the suspicion due to the exceptionally heavy weight of evidence against the packages.
VT definitions can be at most 1 month out of date. This is where it actually fails.
Often malware writers will release their new code the day after VT update so they have a longer window of operation.
When you see a file get between 1 to 3, maybe 5 hits, depending on the AV brands you can often discount it as a false-positive.
When you see over 40 AV (including the most trusted 5) all agree something is malware, you'd have to be a fool to decide they are wrong, unless you either wrote the offending code, or are yourself a top rate security and crypto coder.
3) OPSWAT Metadefender is a client which uses either the online AV engines or a locally installed core on the network.
It uses multiple AV engines though not as many as VirusTotal, however it does use all the regular top 5 contenders for detection, inc. Avira, Bitdefender, Kasperky, and more.
4) Both use a remote sandbox for running executable samples and will see what they actually try to do. This often triggers more warnings that the sample may be malicious.
It is also useful way for devs to work out why their software is being detected as a false-positive.
I can probably undelete the samples and let you have them if you are so sure they are fine.