package being detected as a virus

[aviramha]

Note from the maintainer:

This package conditionally displays a friendly message when installed via npm.

_The message appears only if the computer's locale timezone is set to one of the Russian timezones and politely advises users to seek reliable sources of truth regarding the war in Ukraine. The message is short and concise._

Note that it is not uncommon for npm packages to print some information upon installation. Hundreds of packages on npm do this: https://github.com/search?q=%22%5C%22postinstall%5C%22%22+language:json&type=code. Are they reported by any anti-virus software?

This post-install logic is not part of the package's core functionality. It does not affect how the package operates when used. If you rely on a prepackaged product that depends on this package, this logic is not included in your product.

At worst, this behavior could be considered protestware, but labeling it as dangerous to users is simply incorrect. If any anti-virus software flags this behavior, please report it to them, as this is a bug on their side that unnecessarily complicates your experience.

---

Original post:

We updated our version of es5-ext and faced an error when publishing to VS Code marketplace when they ran anti virus scan. Checking it offline, we found out that VirusTotal started detecting the version with the manifest as a virus, hence forcing us to stay with last version before manifest.

I don't wish to get into the politics and decision - I believe this is entirely up to the package creator and maintainer to decide as it's their software, but opening this as a FYI.

[medikoo]

@aviramha there's no virus in this package. Please report the issue to the VS Code.

---

Added later:

I'll be happy to report this issue to any anti-virus or security service, yet I need precise instructions from you on where I can do it?

I'm not aware of any reports on my own (my work and my personal digital life are not affected by it).

Please post instructions as comments in this thread. Thank you!

[aviramha]

I know there's no virus. It's also not VS Code probably as more than 1 anti viruses detect it s a virus. I'd assume contacting each anti virus but I'm really pessimistic about Kaspersky not tagging this as a virus.

[aviramha]

We emailed the marketplace team BTW, but given past experience, as written before I wouldn't hold my breath.

[medikoo]

@aviramha thanks for emailing them.

AFAIK it's Kaspersky (Russian anti-virus) that does this kind of thing, but it's also discouraged to rely on this antivirus now (many sources warn against using it). So I guess VS Code might have fallen in to trap of relying on it (or on the antivirus that uses its database).

They really should fix it.

[Rush]

The problem is that this package is doing more than it advertises. It not only extends es5 with extra methods and shims, it also implements a "Call for peace" message. I think it's an unacceptable practice that slows done installation process.

https://github.com/medikoo/es5-ext/blob/main/_postinstall.js

I discovered it as yarn started printing that es5-ext is "building" while in fact it's processing the anti-war script.

Send more weapons to Ukraine and beat the Ruskis but do not pollute my dev environment. And I am saying this with a complete recognition that Russia is the warmonger.

[Rush]

So the real reason this is a virus is that it's doing needless postinstall actions that depend on the location of the user. What next? If somebody is in Russia, maybe delete all of their files? How much more evil do Ruskis need to do for this to become OK?

[medikoo]

@Rush this package will never do more, than showing a simple message (manifest) if some installs it in Russia. Reasoning for that was elaborated extensively at #116, so let's not dive into unconstructive discussions here, this is not in the scope of this issue.

[andrey-helldar]

Kaspersky Anti-Virus also detects the package as a virus:

Event: Object deleted
Program name: node.exe
Program path: C:\Users\Helldar\AppData\Local\nvs\node\16.16.0\x64
Component: File Anti-Virus
Result Description: Removed
Type: Program that can harm
Name: Hoax.JS.ExtMsg.a
Accuracy: Precise
Threat Level: Medium
Object type: File
Object name: _postinstall.js
Object Path: D:\domains\volunteers\web\node_modules\es5-ext
MD5: CF2BB0D501167A2D3A0764227C3D7E16

Original:

Событие: Объект удален
Имя программы: node.exe
Путь к программе: C:\Users\Helldar\AppData\Local\nvs\node\16.16.0\x64
Компонент: Файловый Антивирус
Описание результата: Удалено
Тип: Программа, которая может нанести вред
Название: Hoax.JS.ExtMsg.a
Точность: Точно
Степень угрозы: Средняя
Тип объекта: Файл
Имя объекта: _postinstall.js
Путь к объекту: D:\domains\volunteers\web\node_modules\es5-ext
MD5: CF2BB0D501167A2D3A0764227C3D7E16

I think it's because of this text: https://github.com/medikoo/es5-ext/blob/main/_postinstall.js#L31-L72

Released in 0.10.54: https://github.com/medikoo/es5-ext/commit/28de285ed433b45113f01e4ce7c74e9a356b2af2

[medikoo]

@andrey-helldar yes, Kaspersky is Russian-based and no longer a credible anti-virus resource.

There's widespread advice to not rely on it anymore (e.g. https://www.komando.com/security-privacy/kaspersky-antivirus-dangers/830542/).

So if you're affected by the fact that Kaspersky reports this package, ensure to not rely on Kaspersky in the first place.

[medikoo]

Note that I will delete any off-topic responses.

The topic here is that some anti-virus software (such as Kaspersky) are reporting as if the package is containing a "virus" which is not the case. This package, in certain scenarios, just prints a short message on installation.

Respond only if you have information on other anti-virus software that reports it, or have success stories on removing dependency on that specific anti-virus software.

[andrey-helldar]

I would like to add on my own: there are two ways to solve the problem:

First way: to do this, go to the "Exceptions" section in the settings and add four entries:

• Directory: <path_to_node.exe> (for me is %USERPROFILE%\AppData\Local\nvs\) (dir, not file) + Object Hoax.JS.ExtMsg.a
• Directory: %USERPROFILE%\AppData\Roaming\npm-cache\ + Object Hoax.JS.ExtMsg.a
• Directory: %USERPROFILE%\AppData\Local\node-gyp\ + Object Hoax.JS.ExtMsg.a
• Directory of your sites. For me is D:\domains\ + Object Hoax.JS.ExtMsg.a

In all points, I selected "Scan area" - "everything" (*).

After that, the antivirus stopped responding to this error.

Second way: delete Kaspersky from PC.

PS: This file does not contain any virus, and the antivirus reacts because it belongs to a Russian company. In Russia, any anti-war statements are punishable by law. In addition, it has long been known that Kaspersky Anti-Virus works for the government.

[DigitalNaut]

Respond only if you have information on other anti-virus software that reports it, or have success stories on removing dependency on that specific anti-virus software.

I don't have any more information, just wanted to point out that all of the accounts that are downvoting you are very suspicious. Most don't even have more than 3 contributions. This is crazy.

[Shotman]

Just want to point out that I've had recently McAfee report the _postinstall.js file as JS/Hoax.gen.a from my internal company monitoring system

As seen on those 2 virustotal reports :

https://www.virustotal.com/gui/file/5dd190b1792cb7ac5623c74fb28f34e3753b3a66b2fc28dc11c2e60bf3227979 https://www.virustotal.com/gui/file/a4d97b74a47ac8a9364330e304949af6193537794f83005fc6e0776d0a577a77

I just went off a call with head of security asking me questions on what es5-ext actually was etc.

[medikoo]

@Shotman, you should probably ask security to report to McAfee a false positive. "Hoax" means that this package issues a fake warning about potential viruses etc, which is meant to put you on the alert. That's not the case here.

[pgsandstrom]

I also ran into problem with my companies McAfee. It automatically deletes es5-ext whenever it is found on the system, making it impossible for me to work with any project that has est5-ext as a dependency.

[medikoo]

@pgsandstrom please report it upstream, as it's a problem with McAfee not this package

[rlyonbox]

This is a problem for OSX as well without any 3rd-party AV - please stop deflecting the issue because it is happening across multiple environments and is breaking installs for many many people.

It is not our responsibility to fix your broken project. It is not a problem with specific AV suites.

[medikoo]

This is a problem for OSX as well without any 3rd-party AV

Can you elaborate? Also, it's macOS now. btw. I work on macOS extensively and I don't see any reports

[rlyonbox]

I don't see how naming of OSX or macOS is relevant to the discussion. We both understand what i mean, as would anyone else reading this comment thread.

The issue is presenting as a failure to copy the file from the yarn cache. The file is entirely unreadable on macOS 12.6, as it's blocked by the OS:

sudo cat /Users/XXX/Library/Caches/Yarn/v6/npm-es5-ext-0.10.60-e8060a86472842b93019c31c34865012449883f4-integrity/node_modules/es5-ext/_postinstall.js
cat: /Users/XXX/Library/Caches/Yarn/v6/npm-es5-ext-0.10.60-e8060a86472842b93019c31c34865012449883f4-integrity/node_modules/es5-ext/_postinstall.js: Operation not permitted

Or when installing with yarn:

error An unexpected error occurred: "EPERM: operation not permitted, copyfile '/Users/XXX/Library/Caches/Yarn/v6/npm-es5-ext-0.10.60-e8060a86472842b93019c31c34865012449883f4-integrity/node_modules/es5-ext/_postinstall.js' -> '/Users/XXX/Development/Box/notes/box-etherpad-lite2/node_modules/es5-ext/_postinstall.js'".

[medikoo]

@rlyonbox this is totally unrelated issue on your system and has nothing to do with mentioned antivirus reports

[rlyonbox]

It's very much the same issue. From what I can guess, _postinstall.sh has been (maliciously) added to common virus scanlists and that has now propagated across many AV solutions - both 3rd-party and OS-native.

[rlyonbox]

Correction, sorry I didn't spot it before. Corporate machine. There is a 3rd-party AV "Carbon Black Cloud" that blocked the file.

[Oliniusz]

Hi guys,

I have sent plenty of private money to my friends in Ukraine and to student organisations etc. I pray for a better world.

But at the moment I am writing explanation notes to our client explaining why wiz.io is detecting malware in the yarn cache on our Jenkins server. I am literally quoting this github issue.

[pikelet]

I'm also getting this issue where Moysle Security (macOS) is detecting the file as malware (Threat: MacOS_Script_ExtMsg). This is embarrassing to explain to clients in corporate environments - I can't just mark it as a false flag and move on. I've reached out to Mosyle myself, but imo you as the owner of the package should be the one reaching out to AV vendors and sorting this out.

[medikoo]

@pikelet let me know where exactly I can report it, and I'd happily do that.

[n8-dev]

I think it's because of this text: https://github.com/medikoo/es5-ext/blob/main/_postinstall.js#L31-L72

Released in 0.10.54: https://github.com/medikoo/es5-ext/commit/28de285ed433b45113f01e4ce7c74e9a356b2af2

@medikoo Firstly, I support your point. However truly, have you thought about changing the text in here ever so slightly to get around the blocking? If anything that would be cool to have a package that is smart about sticking it to the man

I mean wouldn't you think that allowing Russians to actually see your anti war message is a better tactic then it just getting removed as a dependency or locked to a lower version?

As you said, dont use Kaspersky but:

• A: not everyone can change their corporate environments at the drop of a hat.
• B: getting your message straight up removed in favor of a fork is more of a failure is it not?
• C: Its not just Kaspersky, its McAfee, Moysle and probably more others...

Honestly, update your readme with information of how to HELP you report this as a valid non-malicious package to any antivirus vendors that will listen, and get an issue template to work out why ones that aren't trustworthy are blocking and get around it.

As many have already called you out on it.

It is not our responsibility to fix your broken project

This is something you can fix, it can no longer be your responsibility you do wish by ceding the ownership to some others, otherwise you'll just get forked all over the show and the message won't be shared :/

[medikoo]

@n8-dev Thanks for your comment:

have you thought about changing the text in here ever so slightly to get around the blocking?

Which part of the texts you think are responsible for it being "blocked"? Is it the Tor link?

Honestly, update your readme with information of how to HELP you report

I mentioned in above comment that I'd be happy to report all cases in my own capacity, but I need instructions from you

You've posted a lengthy comment, yet still, you provided zero help on that :)

Anyway I've updated my first comment here, with a call for help in providing me with the necessary instructions

[unional]

Hi, I honor the cause for the action. We are living in a special time and hopefully this will not be a problem anymore soon.

For the time being, if you want a remedy to the problem, you can use the overrides mechanism of your package manager of choice.

I have created a video to describe what you need to do: https://youtu.be/dh9UUqsJLok

[n8-dev]

A one off comment is not that hard to do, and its not that lengthy really, its just clear

I've got my own job man, I shouldn't have to do your homework for your module to help your mission.

As you can see in other references to this people are just dropping your package, that shows that you're failing right?

Again, I don't know what it is exactly being detected but if you change it you might get past. As most things is a game of cat n mouse trying to stay one step ahead.

Try taking out Tor links, I'd go for dropping region checking cause that could be flagged, try changing words, writing country names with spaces, who knows what they use.

Take a look at the message composer gives perhaps?, still gets the same point across and actively out there and isn't getting flagged everywhere 🤔

[medikoo]

@n8-dev removing anything you mentioned is out of the question as it's a core of this manifest.

Again, I'll be happy to send reports to anti-virus vendors, but I need help from you (where it should be reported and what's the id/code of vulnerability I should report as false)

[ntedgi]

This post install file also reported as malware at wizz container scans

[kolonuk]

Just a suggestion, but shouldn't changing some text of the file or filename confuse the scanners? Some go by filename, some by hash, some by heuristics on the language... Mixing things up might be enough to get through.

I know it's not a solution, and I don't personally consider this malware, but making a change should mean we're all OK for a couple of months or so - I doubt this is high on any virus scanners target list!

[salemshah]

kaspersky detects it as a virus

[PeterDaveHello]

Just for your reference, Check Point Reputation Service also reports it as Malware.

{
  "response": [
    {
      "status": {
        "code": 2001,
        "label": "SUCCESS",
        "message": "Succeeded to generate reputation"
      },
      "resource": "a79b7495fe78235cc215b79736080fee8bc3ef0c5aa04acbd8926d0b4aaf1397",
      "reputation": {
        "classification": "Malware",
        "confidence": "High",
        "severity": "High"
      },
      "risk": 100,
      "context": {
        "malware_family": "4cc5ylty",
        "protection_name": "Malicious Binary.TC.4cc5ylty",
        "malware_types": [
          "Malicious Binary"
        ]
      },
      "findings": {
        "total": 61,
        "positives": 3,
        "file_type": "Script",
        "file_size": 3318,
        "first_seen": "2022-08-03 10:57:37"
      }
    }
  ]
}

[PeterDaveHello]

Information from Doctor Web and Kaspersky is kind of clear, so besides the warning, users can decide to use it or not. Just FYR.

https://vms.drweb.com/virus/?i=25072341

Malicious code added to the es5-ext-main public JavaScript library. It shows a specific message if the package is installed on a server with a time zone of Russian cities.

https://threats.kaspersky.com/en/threat/Hoax.JS.ExtMsg/?orig=Hoax.JS.ExtMsg.a

Script that is added to the es5-ext-main public JavaScript library. Includes an undeclared functionality that displays certain messages, which is triggered depending on the time zone.

[kode54]

TBQH just emit a multilingual message everywhere and drop the timezone checking, since that's clearly what's setting off the virus alerts, and not Russian bias in Russian security software. Sure, let's just believe that for a hot minute.

[medikoo]

TBQH just emit a multilingual message everywhere and drop the timezone checking, since that's clearly what's setting off the virus alerts, and not Russian bias in Russian security software. Sure, let's just believe that for a hot minute.

@kode54 this message is intended only for russians in Russia, showing it to everyone everywhere will make not much sense, it'll be just annoying to those to whom it is not addressed

[azerum]

As an aside, the fact that Kaspersky reports the virus as 'Hoax.JS.ExtMsg.a' makes me wonder about how apolitical and trustworthy it is. Practically speaking, it would be hard to replace it at lots of existing software at this point. Perhaps using their viruses DB is OK, but, just as my opinion, I would avoid using it directly

[scotty6435]

Trend antivirus has started to detect this as a Trojan now!

I've donated substantial amounts to the fight in Ukraine but this kind of approach in the face of significant disruption to your userbase just means that we will move away ASAP to another tool

[medikoo]

Trend antivirus has started to detect this as a Trojan now!

@scotty6435 if that's the case, it's a clear abuse from antivirus software. You should report it over there, and avoid using it.

[confused-Techie]

Without commenting on the message itself, since at the end of the day, this is the maintainers repo.

If anyone else is being negatively affected by usage of this repo, such as my team and I were, with many many user reports and accusations of our code being malicious, one thing that can be done to resolve it, is to fork this repo, and remove the offending code like seen here, then in whatever repo you are concerned about you can set a resolution in your package.json to install your forked repository instead of what any dependency or child dependency specifies, like done here.

"resolutions": {
    "es5-ext": "https://github.com/YOUR_ORG/es5-ext"
}

Again, I want to clarify, this isn't meant to attack or disagree with the maintainers of this repository, this is simply educational. Since while in this issue the stated answer is to not trust Kapersky, that isn't something that could potentially be told to users who won't install or use software because of this. Additionally, if any software relies on this package and is being flagged via Google Chromes Advanced Protection, there's evidence to support that this is also the cause of it. In which case Google Chrome will stop the download entirely.

[robert-gdv]

Sonatype starts flagging the library as "malicious". Sonatype Firewall therefore blocks it.

[robert-gdv]

Whitelisting the package is risky, because it would create a false negative, when this repo is e.g. hacked and really contains malicious code.

[medikoo]

@robert-gdv have you reported the issue to Sonatype? (there's nothing malicious about the package)

[robert-gdv]

Sonatype refuses to remove this issue from their malicious list

You're correct that the es5-ext package is being flagged as malicious due to the presence of a "political protest message" in the package. This is specifically found in the _postinstall.js file, which displays a message to users within specific time zones es5-ext/_postinstall.js at main · medikoo/es5-ext (github.com).

While this may not impact the running code, it's considered "malicious" because it performs an operation that was not intended by the users who installed the package. This falls under the category of "Unintended Behavior", which is a type of security vulnerability.

If you believe that this package is not malicious and is essential for your development, you have a couple of options:

1. Use the Vulnerability Lookup: You can use the Vulnerability Lookup feature in the IQ Server to search for the specific vulnerability ID (sonatype-2022-2248). This will provide more details about why the package was flagged as malicious.
2. Apply a Waiver: If you believe that the risk is acceptable for your specific use case, you can apply a waiver to this security vulnerability. This will allow you to use the package while acknowledging the risk.

Using the Waiver is a good solution in this case, because the ID sonatype-2022-2248 covers this issue with the packet. The Waiver would not hide other issues with this package.

[medikoo]

Thanks, @robert-gdv, for reaching out to Sonatype.

Interestingly, there are other packages that present welcome messages during installation, which are also not intended by users who install them (e.g., sponsorship ads). Yet, I never saw them being reported by anti-virus software.

Also, in this package case, it targets a specific group. It's not the noise that is presented to everyone.

[robert-gdv]

My request to Sonatype to remove this malicious flag was denied. I will not follow up on that. It is just not important enough.

[alexguevara]

I'm unable to use Evernote because of this issue. Will obviously report about the problem to Evernote team. The antivirus name is DrWeb which I've been using for more than 10 years now and very happy with it. It's very concerning that political message, whatever that is, is making final products unusable. Can't it be removed?

[medikoo]

@alexguevara report at DrWeb, as this package doesn't do anything malicious that should be a concern. It just conditionally displays a friendly short message when you install it (not when you use it), and note that hundreds of other npm packages do the same. So marking this packing as dangerous is simply incorrect.

[scotty6435]

But the impact of the classification is that many people cannot use the module, are inconvenienced by false positive flags or have to take special actions to whitelist it on every system it runs on. This is a dumb hill to die on