Windows x64 electron-prebuilt is testing positive for the trojan content.malicious.win-packed-mikey-9859574-0

electron-userland / electron-builder

A complete solution to package and build a ready for distribution Electron app with “auto update” support out of the box

https://www.electron.build

MIT License

13.61k stars 1.74k forks source link

Windows x64 electron-prebuilt is testing positive for the trojan content.malicious.win-packed-mikey-9859574-0 #8293

Open mrjoshuaesmith opened 3 months ago

mrjoshuaesmith commented 3 months ago

Electron-Builder Version: • electron-builder version=24.13.3 os=21.6.0

Node Version: v21.7.1

Electron Version: 31.1.0
Electron Type (current, beta, nightly): current

Target: windows x64

Scanning the .exe created by electron-builder with scanii.com is flagging positive for content.malicious.win-packed-mikey-9859574-0

It's probably a false positive, but I thought it would be prudent to bring this to your attention so you can check that this isn't the result of a supply chain attack on electron-prebuilt.

mmaietta commented 3 months ago

electron-builder only leverages the version of electron-prebuilt installed within your own package.json, electron-prebuilt is not a dependency of electron-builder

/**
   * The version of electron you are packaging for. Defaults to version of `electron`, `electron-prebuilt` or `electron-prebuilt-compile` dependency.
   */
  electronVersion?: string | null

From https://www.npmjs.com/package/electron-prebuilt

electron-prebuilt has been renamed to electron. For more details, see http://electron.atom.io/blog/2016/08/16/npm-install-electron

Since it looks like you're on latest electron, I'm assuming you're not using electron-prebuilt?

mrjoshuaesmith commented 3 months ago

I was unaware of the name change, and my package.json still had: "devDependencies": { "electron-prebuilt": "31.1.0" }, but I guess something was correcting that error, because it's definitely using the latest electron. I updated my package.json to say "electron" and it didn't need to download anything new, so you're right. I'm using electron. Sorry about that mis-statement. But the scan result is still there when I changed the package.json to correctly say "electron" and rebuilt the .exe.

Are you saying I should report this issue over at electron's issue tracker instead of this one?

mmaietta commented 3 months ago

Hmmm in that case, if it's the assembled .exe and not reproducing with electron-forge, then it's something else during the packaging process of electron-builder. It's likely a false positive as the files used haven't changed in over 3 years and each asset download is matched by sha256 to prevent any man in the middle attacks or supply chain ovverrides

KBEMobisys commented 2 months ago

Today, we also got a hit for "Win.Packed.Mikey-9859574-0" with the virus scanner "ClamAV" on the malware service https://virusscan.jotti.org (This service scans a file with 14 different virus scanner). Beside some other dependencies, our Win x64 Electron app was updated from "electron": "21.4.4" to "electron": "31.2.1" and from "electron-squirrel-startup": "1.0.0" to "electron-squirrel-startup": "1.0.1".

The build before was ok. So it is related to the dependency update of Electron. The mac version of the problematic build was also ok.

github-actions[bot] commented 2 weeks ago

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 30 days.