sweetbbak
commented
7 months ago this is most likely because the released binaries were packed with UPX (essentially compression) since they are quite large. This will be picked up as an obfuscation method by Windows Defender since it does moderately obfuscate the hash of known hashes of malicious bits of code and executables. upx leaves a few magic strings inside the binary. You can see this if you run xxd on the binary or use any hexdump tool and grep -i upx.
I highly encourage everyone to look at the source code and verify for yourself, as well as build from source if you would like to so that you can ensure that it is safe. If you wanted to try to recreate the exact same release binary, I used the .goreleaser.yaml file to automatically compile, pack and release these binaries but I bet you could run the same process of the same commit and then run something like shashum or sha512sum on the resulting builds to verify their integrity. I didn't foresee this but I wouldn't have any issue making verifying builds easier in the future if there is some solid way to do this.
motyafl
I got this after trying to run v0.2:
and I scanned it with the Virustotal website:
