Funnily enough the same group found a wormable exploit in Valve's Alien Swarm, a mostly forgotten game with a tiny playerbase, and Valve fixed it in 3 months.

https://secret.club/2020/10/30/alien-swarm-rce.html

Meanwhile CS:GO, their flagship game with over a million daily peak players, has numerous wormable RCEs reported and ignored for as long as 2 years.

Valve works in mysterious ways.

I think the difference with this exploit is that according to the people who found the exploit, it affects all Valve games that use the Source engine, not just CS:GO like the article says. Trying to fix it could end up breaking multiple games if it's done incorrectly.

Does requiring action from the next victim still classify it as wormable? Almost any malware good send messages to friends trying to social engineer them into running malware.

It doesn't meet the strict definition of wormable, but the user action required for it to spread is so benign that it's pretty close

A CS:GO player getting an invite to play CS:GO from someone on their friends list isn't likely to raise any red flags