Skip to main content

Browse GamesGame JamsUpload GameHalloween Sale 2025Developer LogsCommunity
On Sale: GamesAssetsToolsTabletopComics
Indie game storeFree gamesFun gamesHorror games
Game developmentAssetsComics
SalesBundles
Jobs
TagsGame Engines
itch.io Community » General » General Discussion

Can games from itch.io be trusted anymore ?

A topic by HamUnDo created 15 days ago Views: 901 Replies: 25
Viewing posts 1 to 9
HamUnDo15 days ago(+2)

The last games I downloaded here, were all corrupted ... they contained an archive inside an archive ... the second archive - which is not scanned by default by most AV software - had a trojan inside ...

The first time I didn´t think much about it ... I had archives inside archives before ... but when the game.exe (RPGM) started a setup-routine, I was on high alert and stopped the process ... Avira approved my suspicion ... it was a trojan/malware ...

The game pages have no comment section and the provider´s profiles are hidden/private ... so there are no means of quick/direct communication ...

Is this some kind of trend or am I just unlucky here ?

Reply
redonihunter15 days ago(+2)

This is not a new thing.

https://itch.io/t/1659440/psa-beware-the-try-my-game-scam

https://itch.io/t/3512426/itch-is-not-a-safe-place-do-not-download-things

No, you cannot trust a game because it is hosted on Itch or has an Itch project or is uploaded on an account that is old. Or because the project is older. 

It is trivial for bad actors to circumvent Itch scanners by doing trial and error. It is trivial to create a new account. And I did see literally hundreds of hacked accounts used for uploading malware. Oldest malware I found was over two years old.

Their profiles are not hidden. You speak about the missing link to their profile, I guess. There is none, because it is empty and has no comments. That's not unusual for regular profiles. The malware uploaders constantly change their patterns, so it is moot to talk about specifics. They just try around till they get indexed. And I guess there are a lot of bad projects cought early that we do not even see, but we do see some of the collateral by all those developers complaining about being put in quarantine.

My general advice is to establish trust by different means. Which mostly translates to not downloading new & shiny things. And treating any downloads as unsafe. So using sandboxing methods is recommended. Coincidentally, the Itch app provides a user level sandbox. This should prevent browser data theft, like login cookies.

I have seen malware that did not trigger on virustotal, malware that was signed and to shame Itch's scanners, malware that was immediatly cought by Windows Defender. Malware on an acount with about a hundred followers and so on.

Also blog postings that link to malware on accounts which have 50+ followers. And of course the recent trend of spamming comment sections with links to malware.

Reply
HamUnDo15 days ago(+2)

Now that I think about it ... all other games I got from here could be played in browser and/or have an active communication via DM or comments ... some provide their projects on other websites too ...

Guess we have to stay alert and better avoid shiny new offers ... especially when there are no comments or an empty profile ...

And with such a flood of scams ... problably thanks to AI ... I don´t wonder anymore, why there is no answer to my reports ...

Reply
redonihunter15 days ago(+2)

Sadly you cannot use an empty or non empty profile or comments as an indicator. The malware uploaders change these patterns and fake whatever they think will make them look less suspicous. Including comments made by their fake account and comments/ratings on their malware projects.

You forgot the other four games on that one account in your collection ;-)

Copy paste the username after the / to access the profile. That works for empty profiles that have not made comments, but posted games.

https://itch.io/profile/

You can do so with a bookmarklet on the account's page.

javascript: (() => {
window.location.href=`https://itch.io/profile/${window.location.hostname.split('.')[0]}`;
})();
Reply
HamUnDo15 days ago

I just mentioned, what the corrupted games/pages had in common ... missing comments or empty profiles are no (un)safe indicators ... but they will make me extra cautious ...

I stumbled upon the games through my search filter ... they were new and I got intrigued ... I am not actively hunting scammers ...

I´ll keep in mind to copy-paste the username if necessary ... but I don´t understand much about scripting ... so the java thingy is more like "nah, better not touch" ...

Reply
redonihunter15 days ago(+1)

Oh, in a given time frame, the malware projects usually share some attributes. But a few weeks later they could look completely different in regard to the key aspects you learned to use as an indicator. Last time I had a look at recent games there were malware with comment sections...

You need not actively hunt scammers, but the ones you do stumble upon, please report them. Once you recognise the current patterns, they are rather easy to spot at a glance with high confidence. Obviously, the top 4 weeks of recent will have the highest density of malware. Itch will not seek out those scammer pages actively. It is evident that their automatic scans did not catch the ones you do see in the search pages. So they need those reports to act.

I also did not actively hunt for those, but I use a browser extension to mark known games/creators. So if I browse recent, I will only see games I have not yet marked. Increasing the density even further.

Reply
Irog15 days ago(+1)

Malware create a vicious cycle for legit games: No comment --> potential players think it's suspicious --> no download --> no comment

Reply
HamUnDo15 days ago (1 edit)

It is not just the lack of comments ... in this case you do not even have an option to leave a comment ...

But I see your point ... the "no-comment-rule" might start a whitch-hunt on games/devs, that don´t have comment yet ...

Reply
Irog9 days ago

"you do not even have an option"

That's surprising. I have comments enabled on all my games.

Reply
HamUnDo9 days ago

Well ... somehow all those malicious games had comments disabled ... I am no creator nor did I ever published for one ... I do not know if comments can be disabled ...

As I said before ... the suspicious part is the lack of an opportunity to leave comments ... not that there not yet comments on a project ...

Reply
redonihunter9 days ago(+1)

Of course you can disable comments as a publisher. You can also disable ratings. And you can switch to a topic based comment section. Also, the publisher can delete comments. I have seen malware with enabled comments where the criminals would delete certain comments. Or post fake comments.

Reply
HamUnDo9 days ago (1 edit)

Have you ever seen malware you had to pay for ? - If not ... that would be an indicator for save content ...

A sales concept would make them traceable ... unless they used ID theft for their accounts ...

Reply
redonihunter8 days ago

Yes.

With minimum price and with pay what you want. With sale and without sale. If it will make people trust the page, the scammers will try to fake it, so there is no single indicator that vouches for a game's safety. Hmm. Maybe the verification checkmark. But those are very rare. You will see some of those accounts on the top rated pages. But this will only say that the account was verified. It will not guarantee that the account is unhacked.

They are reluctant to enter the fake into a jam. But I have seen that too.

It's a combination of indicators either way.

Reply
HamUnDo8 days ago

These are sad times ... when you basically can´t trust anyone ...

Theoretical ... any provider/creator could be hacked ... or an imposter ... or just a scammer ...

The only solution is ... do not rely on your automated security software ... always double check manually ...

Reply
redonihunter8 days ago (1 edit)

Sandboxing.

The less a malware does, the harder it is to detect. Even a simple sandbox will protect your browser data. So in theory the malwares that do hard stuff might get cought in the scanners. And the data stealers will not have the rights to read your files, since you run them in a sandbox.

One might wonder why the Itch app provides a sandbox mode. One can really wonder why.

(My guess is that it was just trivial to implement and sandboxing will also protect the system against shenanigans from inexperienced developers that unintentionally do bad things on the system.)

But checking the shiny new thing carefully is a good idea anyways. If you see a popular paid game for free here, that's suspicous.

Reply
Smurjo8 days ago

Me as a creator have a problem too. I provide a SHA 256 with my games, which should in theory allow you to check whether the file you downloaded is identical with the file I uploaded. But what if they hack my page and change the SHA 256 too?

Reply
redonihunter8 days ago(+1)

A sha256 is only good if you have an authorative original source where you can check that number. Usually in a situation where the original source does not have the capacity for downloads, so you use a mirror that might be compromised. So I would not even check that number, if I downloaded your game from Itch.

A typical malware using your game would just create an account, upload your game with added malware and not even mention a checksum. I did see fake and original indexed side by side here on Itch. Also, indexed fake and a delisted original. That was kinda frightening.

And you are right, if your game was a high value target for impersonation, and you hardcode the warning about looking for that checksum somewhere, they would either change that checksum on the fake page, remove the warning or better, change the link to the fake site.

(I have seen hackings in progress. They would just replace your project with a different project. Too much effort to replace the files. If you were to have hundreds of followers that might download a new infected version, that would be a different matter. I have seen fake accounts with 50 followers :-/ )

Itch does not verify developers, nor their executeables. (Oh, they do have basic scanners, but those are ... not up to the task.)

Steam does this in some way. It is very big news, if there is malware on Steam. On Itch this happens probably about 10 times a day. Speaking about indexed projects. Maybe the scammers upload 100 a day and Itch catches 90. Those criminals do that fulltime. And even without bots, someone can easily upload several fakes an hour.

On several weekends last year I easily saw 20+ malware uploads. That 10 per day is a convervative estimate based on experience, not an exaggeration. Around that time I created that thread here https://itch.io/t/3512426/itch-is-not-a-safe-place-do-not-download-things . It was heartbreaking to see dozens of hacked accounts each weekend. I do wonder why I almost never see people complaining in the message boards. There is complaints about everything, but rarely about being hacked. This thread here is one of those very few.

Reply
HamUnDo8 days ago

"Steam does this in some way. It is very big news, if there is malware on Steam. On Itch this happens probably about 10 times a day. Speaking about indexed projects. Maybe the scammers upload 100 a day and Itch catches 90. Those criminals do that fulltime. And even without bots, someone can easily upload several fakes an hour.

 On several weekends last year I easily saw 20+ malware uploads. That 10 per day is a convervative estimate based on experience, not an exaggeration."

I wonder ... where do you get this information ...

I can´t imagine you - or anyone - randomly downloading dozens or hundreds of games daily for fun ... just to check if they´re save to use ...

Are you part of the staff or an IT expert ? - Like a hired hand to test a provider´s measurements on safety and integrety ?

Reply
redonihunter7 days ago
I wonder ... where do you get this information ...

That there were malware by the dozen on weekends is what happened and what probably still happens. You personally stumbled over several of them without trying. 

randomly downloading dozens or hundreds of games daily for fun ... just to check if they´re save to use ...

It is neither randomly, nor is a download needed. You also recognised patterns. They change, but within a week they stay noticeable. So it is a few seconds to have high confidence. And of course, I do not check all games. But enough to stumble over a lot of malware.

Oh, and I currently do not browse new games, but wanted to have a look how bad it currently is. It took me less than a minute to find two fake accounts. They have 16 followers together. How do I know? Experience and things I do not want to discuss, since they will change anyway with the next batch of malware uploads. Currently you would also be suspicous of those fake accounts ;-)

Oh, and I tried the smallest of the games out of curiosity and it did not trigger a single scanner on virustotal.

Browsing new games on Itch is dangerous. Using a sandbox is recommended.

Reply
Hoiby7 days ago(+3)

The games that I have downloaded from itch have not been viruses. But, I have seen games that I'm 99% sure are. If it's a reupload of a legit game, don't download it. I saw someone who had several projects of games like Pokemon Snap and 007: Golden Eye, which were all viruses because it was definitely not the actual developer. A potential way to determine if it's a virus is if the project page has very little work put into it but the game looks super high quality. I just try to be careful, I still download games. But, if you do have another thing like you found of two zipped folders inside each other, delete the file, empty the trash, and report the project page. Also, never click on links comments that say things like "New version here ..." It's to bad that there are viruses on itch, though. There are some great games on here, but you've just got to be careful.

Reply
Irog6 days ago

Most viruses target Windows so a game that doesn't have a Linux download is more likely to be a virus.

Reply
redonihunter6 days ago(+1)

Of the three malware accounts I found in the last few minutes out of curiosity, two had linux downloads. 

It's really bad out there. Recent is a minefield. I do not even try hard and found three within a minute or so.

Anyway, I mean what I said. If there is any indicator, any at all, that would increase trust, the criminals will fake it. Including having a linux, mac or android download. That's even one of the easiest things to fake. That's a reason why I do not like to talk about how to spot fake games. It is useless in a week or two and it will create fake confidence in a game's legitimacy.

I am not sure, how this is on linux, but a big deal what those malware do, is spy your browser data. That should be doable on Linux too. If that malware process runs on the same Id as the user running the browser, that process should have reading rights to the browser data. That means login cookies that can circumvent some 2fa logins.

Reply
HamUnDo6 days ago (1 edit)

Oh, I remember ... back in the early 2000s ... when file-sharing was popular ... I set up a Linux system ... after some unpleasant incidents ...

"FEHLER: Programm kann nicht ausgeführt werden. Falsches Betriebssystem."

Those times are gone ... Linux and MacOS/iOs are widespread today ... malware will run on that systems too ...

Reply
Irog6 days ago(+1)

You're right. Even if the game has downloads for several platforms, some of the downloads can hold viruses. :-(

If you have an old PC that doesn't meet the hardware requirements of the new Windows, you can install Linux (Ubuntu or other) and test the games on it while being offline. You can also run Windows games inside Wine.

Reply
HamUnDo6 days ago(+1)

Linux might not be safer than Windows ... but it`s a good chance to keep my old lady alive ...

Reply
Irog1 day ago

Yes, always prolong the lifespan of your functioning hardware !

Reply
AboutFAQBlogContact us
Copyright © 2025 itch corp · Directory · Terms · Privacy · Cookies