lierdakil
commented
3 years ago Hello! Thanks for the notice. I take cybersecurity issues pretty seriously, and I prefer to know when something like this happens.
The binary is built on the GitHub Actions infrastructure and is published automatically. Unless GHC and/or GitHub infrastructure was compromised, the chance of the binary being infected is rather slim. Besides, there was a case of a false positive detection in #204.
Running through VirusTotal shows a rather curious picture.
If I upload the 7z archive, only Microsoft's antivirus reports any issues -- feel free to verify this, the hash displayed by VirusTotal is sha256.
If I upload the binary itself, Microsoft's antivirus doesn't see the issue any more, but a couple other products find "something".
Now, it's a well-documented fact that cheaper antivirus products don't like UPX, so I've uploaded an unpacked binary also (after running it though upx -d), and it's reported as clean.
This looks very much as a false positive. If you would be so inclined, please send the offending file for detailed forensic analysis via the Windows Feedback or through the web form. Thank you. I can do this myself, in theory, but I'm a Linux user, so it's a little trickier for me.
When downloading a new, 0.3.12.0a release, I'm getting alert from Windows Defender, detecting the Trojan:Script/Wacatac.B!ml.