A security researcher found a self propagating worm hidden in a Maya file on Epic Games' Fab.com marketplace, and separately AV Comparatives' February to May 2026 Real World Protection Test awarded ADVANCED+ — its top award — to only 7 of 20 consumer security products.
A security researcher found a self-propagating worm hidden inside a 3D model file on Epic Games' Fab.com asset marketplace, according to the AV-Comparatives release. Separately, AV-Comparatives ran its February-to-May-2026 Real-World Protection Test — a four-month evaluation of twenty widely used consumer antivirus products against live internet threats. According to the announcement, only seven of the twenty products earned the lab's top ADVANCED+ award: Avast, AVG, Bitdefender, Kaspersky, Microsoft, Norton, and TotalAV — meaning thirteen did not.
The test is run by AV-Comparatives, an independent cybersecurity testing organization based in Innsbruck, Austria, that describes itself as the world's leading independent cybersecurity testing organization. It is one of the few public scoreboards that pits consumer security software against live internet threats rather than curated malware samples. The twenty home-user products in this cycle were evaluated under controlled conditions against real-world attacks, including malicious URLs. The full report is freely available at av-comparatives.org without registration, per the announcement.
The Maya worm finding shifts the consumer threat picture. Autodesk's Maya is professional 3D software used across film, games, and design; Fab.com is Epic Games' marketplace for buying and selling 3D assets, plugins, and other creator content. A worm that travels inside a 3D model file turns a creator-tool supply chain into a malware delivery channel, the kind of "increasingly unexpected sources" the lab flagged in its release. AV-Comparatives disclosed the Fab.com finding to Epic Games' security team before publishing, so the threat is contained to the test environment rather than an active Fab.com breach.
The worm, named MEL/Vacphage.A, was a Python-based worm embedded in Autodesk Maya Binary files distributed through Fab.com, a widely used creative asset marketplace trusted by professionals and hobbyists alike, according to the AV-Comparatives release. "Our Fab.com discovery is a reminder that malware does not always arrive via suspicious links or shady downloads," said Andreas Clementi, founder and CEO of AV-Comparatives. "It can come from a platform a professional or enthusiast visits every day."
For consumers, the practical takeaway is that the old threat advice — avoiding suspicious links and not opening unknown attachments — no longer covers the attack surface. A 3D asset downloaded from a reputable marketplace can carry working malware. The new question for buyers is not only whether a file comes from a trusted source, but also whether the security product on the machine actually catches novel threats from those trusted sources. AV-Comparatives' ADVANCED+ rating, the highest award tier, is meant to answer that question for the products that earn it.
The 7-of-20 split is the news number for buyers. The twenty products tested were Avast One Free Antivirus, AVG AntiVirus Free, Bitdefender Total Security, ESET HOME Security Essential, F-Secure Internet Security, Fortect PC Suite, G DATA Total Security, K7 Total Security, Kaspersky Premium, Malwarebytes Premium, McAfee Total Protection, Microsoft Defender Antivirus, Norton Antivirus Plus, Panda Free Antivirus, Quick Heal Total Security, Sophos Home Premium, Total Defense Essential Anti-Virus, TotalAV Premium, Trend Micro Internet Security, and VIPRE Advanced Security. The seven that earned ADVANCED+ were Avast, AVG, Bitdefender, Kaspersky, Microsoft, Norton, and TotalAV. The full report on av-comparatives.org is the authoritative source for the per-product protection rates and false-positive counts.
There is a limit to what this test can tell a reader. It runs for four months against a specific threat feed; it does not measure performance, system impact, privacy, or how a product behaves over a year of use. A product that missed ADVANCED+ is not unsafe, and a product that earned it is not invulnerable. The test is one credible data point among several, and the lab itself notes that consumer threats are now arriving through channels the old advice does not cover.
The next test cycle begins later in 2026. If the Fab.com-style supply-chain threat becomes a regular pattern, expect the lab and independent security press to keep testing it.