Malware reports in latest `oh-my-posh.exe`

[mavaddat]

Code of Conduct

• [X] I agree to follow this project's Code of Conduct

What happened?

Windows Defender showing Win32/Phonzy.A!ml virus (trojan) found in latest executable and Antiy-AVL shows Trojan/Generic.ASBOL.C689. Virus Total results here.

Trojan:Wi n32/Phonzy. A!ml
Alert level: Severe
Status: Active
Date: 2021-12-02 8:52 AM
Category: Trojan
Details: This program is dangerous and executes commands from an attacker.
Learn more
Affected items:
file: C:\Users\mavad\AppData\Local\Programs\oh-my-posh\bin\oh-my-
posh.exe

This seems to be a false positive as reported in another case, but I am keeping the file in quarantine until get confirmation it is safe.

From quarantine, I calculated the following hashes for oh-my-posh.exe:

Field	Value
Name	oh-my-posh.exe
Size	4121088 bytes (4024 KiB)
CRC32	5960DAB6
CRC64	5F7230649CCCF287
SHA256	5E6D37F4F2773C7BAAD4514AF71792AC08F4D84294BF53FF368A377D878A6952
SHA1	21EB68F94C2063EBCC1444F49FC2B006FCC6B11A
BLAKE2sp	4EA60379EF634D0529CCF02C7945D459C76CED92B8324D5A1CC5C644BFEBC942

Installed from winget:

Package	Id	Version
Oh My Posh	JanDeDobbeleer.OhMyPosh	6.22.1

Theme

Probably relevant, but I am using a modified JanDeDobbeleer theme.

My entire JSON theme

```json { "blocks": [ { "type": "prompt", "alignment": "left", "segments": [ { "type": "session", "style": "diamond", "foreground": "#ffffff", "background": "#c386f1", "leading_diamond": "", "trailing_diamond": "", "properties": { "postfix": " ", "display_host": false } }, { "type": "path", "style": "powerline", "powerline_symbol": "", "foreground": "#ffffff", "background": "#ff479c", "properties": { "prefix": "  ", "home_icon": "~", "folder_separator_icon": " \uE0b1 ", "style": "folder" } }, { "type": "git", "style": "powerline", "powerline_symbol": "", "foreground": "#193549", "background": "#fffb38", "properties": { "display_stash_count": true, "display_upstream_icon": true, "status_colors_enabled": true, "local_changes_color": "#ff9248", "ahead_and_behind_color": "#f26d50", "behind_color": "#f17c37", "ahead_color": "#89d1dc", "stash_count_icon": "\uF692 " } }, { "type": "node", "style": "powerline", "powerline_symbol": "", "foreground": "#ffffff", "background": "#6CA35E", "properties": { "prefix": " \uF898 ", "display_version": true } }, { "type": "go", "style": "powerline", "powerline_symbol": "", "foreground": "#111111", "background": "#8ED1F7", "properties": { "prefix": " \uE626 ", "display_version": true } }, { "type": "julia", "style": "powerline", "powerline_symbol": "", "foreground": "#111111", "background": "#4063D8", "properties": { "prefix": " \uE624 ", "display_version": true } }, { "type": "python", "style": "powerline", "powerline_symbol": "", "foreground": "#111111", "background": "#FFDE57", "properties": { "prefix": " \uE235 ", "display_version": true, "display_mode": "files", "display_virtual_env": false } }, { "type": "poshgit", "style": "powerline", "powerline_symbol": "\uE0B0", "foreground": "#ffffff", "background": "#0077c2" }, { "type": "ruby", "style": "powerline", "powerline_symbol": "", "foreground": "#ffffff", "background": "#AE1401", "properties": { "prefix": " \uE791 ", "display_version": true, "display_mode": "files" } }, { "type": "azfunc", "style": "powerline", "powerline_symbol": "", "foreground": "#ffffff", "background": "#FEAC19", "properties": { "prefix": " \uf0e7", "display_version": false, "display_mode": "files" } }, { "type": "aws", "style": "powerline", "powerline_symbol": "", "foreground": "#ffffff", "background_templates": [ "{{if contains \"default\" .Profile}}#FFA400{{end}}", "{{if contains \"jan\" .Profile}}#f1184c{{end}}" ], "properties": { "prefix": " \uE7AD ", "display_default": false } }, { "type": "root", "style": "powerline", "powerline_symbol": "", "foreground": "#111111", "background": "#ffff66", "properties": { "root_icon": "" } }, { "type": "executiontime", "style": "plain", "foreground": "#ffffff", "background": "#83769c", "leading_diamond": "", "trailing_diamond": "", "properties": { "always_enabled": true, "prefix": " \ufa1e", "postfix": "\u2800" } }, { "type": "exit", "style": "diamond", "foreground": "#ffffff", "background": "#2e9599", "leading_diamond": "", "trailing_diamond": "", "properties": { "display_exit_code": false, "always_enabled": true, "error_color": "#f1184c", "color_background": true, "prefix": "<#83769c> " } } ] }, { "type": "rprompt", "segments": [ { "type": "shell", "style": "plain", "foreground": "#ffffff", "background": "#0077c2", "properties": { "prefix": "<#0077c2,transparent>\uE0B6  ", "postfix": " \uE0B2" } }, { "type": "ytm", "style": "powerline", "powerline_symbol": "\uE0B2", "invert_powerline": true, "foreground": "#111111", "background": "#1BD760", "properties": { "prefix": " \uF167 ", "paused_icon": " ", "playing_icon": " " } }, { "type": "battery", "style": "powerline", "invert_powerline": true, "powerline_symbol": "\uE0B2", "foreground": "#ffffff", "background": "#f36943", "properties": { "battery_icon": "", "discharging_icon": " ", "charging_icon": " ", "charged_icon": " ", "color_background": true, "charged_color": "#4caf50", "charging_color": "#40c4ff", "discharging_color": "#ff5722", "postfix": " " } }, { "type": "time", "style": "diamond", "invert_powerline": true, "leading_diamond": "\uE0B2", "trailing_diamond": "\uE0B4", "background": "#2e9599", "foreground": "#111111" } ] } ], "tooltips": [ { "type": "git", "tips": ["git", "g"], "style": "diamond", "foreground": "#193549", "background": "#fffb38", "leading_diamond": "", "trailing_diamond": "", "properties": { "display_status": true, "display_upstream_icon": true, "status_colors_enabled": true, "local_changes_color": "#ff9248", "ahead_and_behind_color": "#f26d50", "behind_color": "#f17c37", "ahead_color": "#89d1dc" } } ], "final_space": true, "console_title": true, "console_title_style": "template", "console_title_template": "{{ .Shell }} in {{ .Folder }}" } ```

The difference here (expires 02 Jan 2022).

What OS are you seeing the problem on?

Windows

Which shell are you using?

powershell

Log output

Not available

[JanDeDobbeleer]

@mavaddat if you installed via one of the official ways this is indeed a false positive.

[mavaddat]

Great, thanks Jan. Yes, I installed via winget. The official channels listed on https://ohmyposh.dev/docs/windows are winget scoop powershell chocolatey, so I should be fine. I'll just ignore.

[JanDeDobbeleer]

@mavaddat you can also always validate the hash. I'm adding signatures as well so they're signed with a private key and can be validated with the public key.

[github-actions[bot]]

This issue has been automatically locked since there has not been any recent activity (i.e. last half year) after it was closed. It helps our maintainers focus on the active issues. If you have found a problem that seems similar, please open a discussion first, complete the body with all the details necessary to reproduce, and mention this issue as reference.