Before all desktop applications were web applications pretending to be desktop applications, there was Steam. In September 2018 I achieved XSS, and then RCE in the new Steam Chat client. The client is a cutting-edge React application speaking binary over encrypted WebSockets sitting in Steam's custom version of Chrome Embedded Framework. Through my journey to RCE, I hope to impart some of the most useful techniques I've learned attacking large, minified modern JavaScript applications and reflect on modern application security architecture.