> access work-related materials on personal machines directly, without a VPN or similar security measures
The VPN encrypts the network traffic and can serve as a way to let access the internal network only to authenticated devices. But once a device is compromosed by a malware, the VPN doesn't give any extra protection: the malware just needs to wait for the user to activate the VPN, and then can access the company's network just like any other application running on that machine.
> the malware just needs to wait for the user to activate the VPN, and then can access the company's network
In theory, you are correct, and it does increase the risk compared to never having it connected. However, it doesn’t mean it’s automatically compromised, since the initial point of infection happened through a user action (installing the mod), not through an unknown exploit that spreads through a specific network protocol. So just connecting it doesn’t mean infection, not to mention the VPN settings. Maybe they have file transfer disabled or similar, different OS, protection, etc., where it makes it harder to infect. The worst scenario is he was infected with a RAT type (remote access trojan), where the attacker actively tries to scan other hosts connected to the network through VPN to find vulnerabilities.
That being said, accessing the company network through VPN is still the best practice. After all, you need to access the network remotely for a lot of reasons.
The VPN encrypts the network traffic and can serve as a way to let access the internal network only to authenticated devices. But once a device is compromosed by a malware, the VPN doesn't give any extra protection: the malware just needs to wait for the user to activate the VPN, and then can access the company's network just like any other application running on that machine.