I posted THIS sub-forum because there are FAR more technically inclined people in here - and especially when it comes to SteamCMD...
I figured I didn't want to post this in the "generic" "Suggestions / ideas" nor in the "Discussions" as people who have LESS than ZERO clue about the subject would likely maul me and tactically n*ke me with Jester awards :S

So here I am...
My apologies if this isn't the right forum to post in! -__-


I will try to write this OP post in as coherent fashion as possible, despite the fact that I got freaked out a litte...

I was downloading some depots with SteamCMD...
Usual workflow, nothing fancy...
Every depot downloaded correctly except for one...
The one that threw me completely off the rails in my workflow and made me start second guessing myself, and the sole reason of this forum thread...

Here's the command:

Appid 228980 is "Steamworks Common Redistributables".
MANY ( SteamDB displays few thousand, but this is likely just SteamDB rate limit, likely more in practise ) games on Steam ( including some SOURCE-based games ) pull from this appid, from the provided depots, and Steam install those redists on people's computers automatically for convenience, so that noone has to wonder why their games don't launch...

Before anyone asks me "why are you downloading Redists from Steam by hand":
I wanted to have a local backup of all Redists that Steam directly provides, that is all.

depot 228990 is SUPPOSED TO contain "DirectX Jun 2010 Redist"...
Now here's the catch...
in manifest 5087715316087945828, which SteamDB lists as LATEST ( current ), and dated as 2023, those AREN'T microsoft's files!
They aren't redists either...

SteamCMD downloads 2000-ish of some OTHER FILES.

Here's the top directory list:
( files )
MFGW.exe
MFGW.py
MFGW.sh
( directories )
game
lib
MFGW.app
renpy


I actually did a sanity check if I am running the right command - no issue there ( not a PEBKAC! ).

I re-run the command second time ( I fully exited SteamCMD and re-logged in first too ) - same result...


Did VirusTotal lookups on exe, py, and sh files from the main download dir.
They appear clean... ( exe has 2 detections, likely false positive )
sha256 checksums for the 3 files I checked on VT:
e1c7d09afcada193579ac21b5e3c3ab9eb710576ebc835358add821ddde3a139 MFGW.exe
6af25cf47b94af38a4d4d1ea20e48851b2a8f9e557455a3eab439c5e588831bf MFGW.py
611b5b355ed771ce0c8321db0cd1fffae428275c3b320dfa3d47d800b1df09ca MFGW.sh


I also did clamscan ( clamav ) on the whole downloaded directory...
No detections ( tho take it with a grain of salt, clamav isn't exactly flawless... ).


I'm not gonna lie here - I got rather freaked out by this whole situation >__<


So then I looked at SteamDB again...
https://steamdb.info/depot/228990/

Displaying manifest 1829726630299308803 dated 18 February 2013 – 21:47:57 UTC (12.7 years ago)

Now wait a minute...
That's strange...
NORMALLY SteamDB ALWAYS shows the LATEST manifest on the file list - it's to the point I couldn't think of even just ONE case which would do anything otherwise ( any older manifest being displayed instead ).
WHY would they display an OLDER one??

Is this whole situation some sort of "public secret" I know nothing about? o__O

It gets better...
If you go to manifests list, the 1829726630299308803 is actually dated as 2020...
Strange...


So next I re-downloaded the depot, but with the manifest 1829726630299308803 instead ( again: not the "current" one )...

It downloaded the "correct looking" files - ngl at this point I was SO thrown off the loop I was second guessing myself and "didn't quite trust these files".

So I created checksums of the entire dir.
And then compared those with the DirectX download from TechPowerUp ( regardless of how clickbaity and not necessarily journalistic the website is, their DOWNLOADS section is still quite useful, and the files distributed by them are "clean" ).
( note: I have the checksums list but I WON'T post them here as that's 16 thousand characters and would require me to post in 2 comments - if anyone wants me to post them anyway - say so )
source for TPU download:
https://www.techpowerup.com/download/directx-redistributable-runtime/


RESULT:
- ALL of the files MATCH ( same checksums! ) between Steam ( on the "correct" older manifest ) and TechPowerUp
- Steam has an extra "vdf" file that TPU doesn't have
- TPU has an extra "bat" file that Steam doesn't have ( for more "unattended" / automated install )

So basically - the OLDER manifest for the depot on Steam seems to give the CORRECT, "clean" files...

Why does the new one / current one give some bogus files for something else entirely?
I don't know!! ¯\_(ツ)_/¯


What ( I THINK ) is happening is that either:
A. Steam has a compromised backend
or
B. Some employee with weird sense of humour at Valve wants to get to the FAFO part of their "liability clause" in their work contract ( option "A" with extra steps ).


Someone should contact Valve and tell them to fix this - forget "for yesterday" - this is for "few years ago" ( the manifest is from 2023, and it's the LATEST one ).
Those files should be REMOVED from the backend and replaced with correct ones.
And if for some MIND BOGGLING reason Valve INSISTS on keeping the old manifest contests for "archival purposes" while providing "newer" manifest with correctf files, then at least they should MASK / blacklist the old manifest on Steam CM side so that people cannot download it ( to my understanding this functionality is now possible on the backend side, unlike many years ago when there was no official way ( >> AFAIK << ) to "block" an older manifest, tho correct me if I'm wrong here ).


I will pre-answer some questions before anyone asks:
1. I am on Linux. Tho I think this is hardly relevant, if at all...

2. My system ISN'T compromised. My security is fine!

3. I don't know what these files are - I am BEYOND confused - and I refuse to "run them" to check. I don't have a ready sandbox on hand...

4. I have "clean" SteamCMD install, official distribution thereof

5. ALL other depots I EVER downloaded using SteamCMD were "correct files". This situation is a FIRST for me...

6. No. I haven't contacted Valve yet ( not sure how to proceed. Their corpo contact form on their corpo-website is half-broken. And I don't fancy messaging Steam Support as the outsourced workers likely wouldn't even forward this "up" at all ).

7. I didn't post this in "Steamworks" sub-forum ( where this would be more appropriate ) because I am not currently registered as a Steam partner ( no OFFICIAL steamworks group access for me ).

8. TO MY KNOWLEDGE no files were actually executed on my system. SteamCMD merely downloaded them and nothing else happened.

9. I am not on any proxy, nor VPN

10. I control all the network equipment between my computer and the first device of my ISP ( there's no chance of any "compromised on premises net eq causing DNS redirects" or whatnot ).

11. I do not have nginx caching server or anything else

12. This was tested by me on at least 2 different IP addressess
( for clarity: BOTH hit the "wrong files" on the first tested manifest )





Hopefully this OP post was coherent enough and none of you fell asleep by the end of it :P :D


Any thoughts, comments, remarks, info, or for anyone else to run the "wrong" manifest downlod on their pc to confirm the result - feel free to comment!!
I am all ears here...


P.S.
I spell-checked this post before sending it - however I am a little hungry at the time of sending this - so my apologies in case I missed any typos!
^__^