Windows flags installation script as malware

[perrylets]

Verify latest release

• [ ] I verified that the issue exists in the latest pnpm release

pnpm version

No response

Which area(s) of pnpm are affected? (leave empty if unsure)

No response

Link to the code that reproduces this issue or a replay of the bug

No response

Reproduction steps

Try to install pnpm on windows with winget or the provided powershell snippet on Windows.

Describe the Bug

Windows defender will flag what I assume is the temp file for the installation as malware and stop the execution of the script.

Expected Behavior

pnpm should be installled correctly without the process stopping.

Which Node.js version are you using?

21.1.0

Which operating systems have you used?

• [ ] macOS
• [X] Windows
• [ ] Linux

If your OS is a Linux based, which one it is? (Include the version if relevant)

No response

[zkochan]

I don't know how we can prevent this or why it is happening. Any ideas are welcomed.

[nachoaldamav]

I'm unable to reproduce it in my side, just to check something, do you have the Developer mode enabled in Windows?

[MagnusAycox]

I get this on Windows 11, Node 20.9.0 (LTS). It's AVG that flags the pnpm.exe as containing the FileRepMalware.

[nachoaldamav]

I just found out that Google Chrome also flags it as possible malware, I'm checking it.

Edit: as expected it didn't find anything.

Looks like the term FileRepMalware is a very generic malware description, so I don't really know why 3 antivirus are flagging pnpm as that.

https://www.virustotal.com/gui/file/a17f5df05a92753c5d2402e096548e148564e08bcefb4c00e48f6b0565f1007a/detection

[MagnusAycox]

Fun detail; Using the iwr https://get.pnpm.io/install.ps1 -useb | iex command made AVG go crazy. Using volta install pnpm worked, without any pesky AVG interference. So... A fix for those of us using Volta.

[zkochan]

Maybe we need to sign the ps1 script or pnpm.exe.

[nachoaldamav]

It's possible to do that with pkg? I don't find anything about that in the pkg repo

[nachoaldamav]

Related issue I think https://github.com/vercel/pkg/issues/1992

[perrylets]

I'm unable to reproduce it in my side, just to check something, do you have the Developer mode enabled in Windows?

Yes

@nachoaldamav

[sartoz]

Avast is also detecting pnpm.exe as a FileRepMalware when I use iwr to install pnpm.

[rvion]

does anyone know a practical fix to avoid this issue ?

[perrylets]

vercel/pkg#1992 has been closed, likely because pkg is deprecated now. So what can be done now?

[nachoaldamav]

@perrylets Vercel deprecated pkg yesterday and removed all the issues from the repo. They said there are more alternatives to pkg and the new node option to create executables. But that feature was added in Node 21, so it won't work for pnpm as we should support previous versions.

Maybe we can check this feature, Single executable applications (nodejs.org), that looks like it was added in v18.16.0. It has support for adding signatures to the binaries (which I think will fix the issue with the antivirus). FYI @zkochan

[jasongodev]

It is still being flagged as malware by Avast and AVG. See the VirusTotal page of the pnpm 8.14.1 exe submission here: https://www.virustotal.com/gui/file/359186fff814c3d8eed00ce341e4deb78a316a208cef8c0052b8343d7ecd862f/community

Please upvote in VirusTotal the pnpm's community reputation by clicking the green checkmark. That way it will be flagged as false positive and somehow malware researchers at each of the companies will be alerted (hope so).

[spokospace]

Hello, how to resolve issue with latest version of pnpm on Windows 11 Enterprise? Currently I can't install it, because of "virus":

PS C:\WINDOWS\system32> Invoke-WebRequest https://get.pnpm.io/install.ps1 -UseBasicParsing | Invoke-Expression
Downloading pnpm from GitHub...

Running setup...

Start-Process : This command cannot be run due to the error: Operation did not complete successfully because the file contains a virus or potentially unwanted software.
At line:139 char:1
+ Start-Process -FilePath $tempFile -ArgumentList "setup" -NoNewWindow  ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Start-Process], InvalidOperationException
    + FullyQualifiedErrorId : InvalidOperationException,Microsoft.PowerShell.Commands.StartProcessCommand

[zkochan]

You can install the js version of pnpm that doesn't come bundled with Node.js. You can use npm or corepack to do so. So, with npm you should run:

npm i -gf pnpm

[sartoz]

Maybe we need to sign the ps1 script or pnpm.exe.

@zkochan any update on signing the files?

[zkochan]

The suggested solution is to use node's single executable applications, which are still experimental. pkg was deprecated but has a well maintained fork. I don't think we should switch to node's single executable applications at this time. We can sign the binaries but I don't have experience how to do it. As far as I understand the binary for macOS is signed by pkg.

[mdekrey]

Stumbled upon issue this while migrating away from corepack, given Node's stated goal of removing corepack. Is there a way to install the latest version of pnpm on Windows to use it as the Node version manager?

[zkochan]

If there's no way to install the pnpm executable on windows, then you should still be able to manager node.js versions of projects but not the global node.js. So, pnpm will be able to manage the node.js used during pnpm run or pnpm node but not the node.js in your CLI.