Trojan.disco detected by VirusTotal

[shunyun-bp]

What version of pkg are you using?

5.8.1

What version of Node.js are you using?

18.17.1

What operating system are you using?

macOS 13.5.2

What CPU architecture are you using?

arm64

What Node versions, OSs and CPU architectures are you building for?

Windows x64

Describe the Bug

Nodejs scripts compiled for win-x64 are flagged as containing a trojan. NodeJS scripts compiled by pkg are not flagged for other platforms (linux, macos), only Windows.

Also, Vercel's email address "responsible.disclosure@vercel.com" bounces emails.

Expected Behavior

A simple nodejs script (e.g. only containing console.log("hello world") and having no dependencies) should not be flagged as having any virus, especially when it's only for Windows binaries.

To Reproduce

I created a test directory, ran "npm init -y", ran "npm install", then created a simple script as follows: console.log("hello world"); I then packaged using pkg 5.8.1 as follows: pkg --debug --targets macos-x64,macos-arm64,win-x64,linux-x64 test.js

I then uploaded the resulting test-win-x64.exe to virustotal.com. The results are as follows: Avast Win64:Malware-gen AVG Win64:Malware-gen Cyren W64/Discord.K.gen!Eldorado Google Detected Jiangmin Trojan.PSW.Disco.gqn Zillya Trojan.Disco.Win32.8458

[shunyun-bp]

As a follow-up, just to try to isolate things, I installed pkg to the test utility as a development dependency then used the local copy, as follows: node_modules/.bin/pkg --debug --targets macos-x64,macos-arm64,win-x64,linux-x64 test.js Same results.

I then searched global for any instances of pkg and found an older nvm node path (18.14.0) with bin/pkg so I removed all but LTS from my computer. Then removed pkg from node_modules and reinstalled locally(devDependencies) and tried again, then uploaded to VirusTotal. Same results.

[shunyun-bp]

Follow-up. Stood up a new Linux instance on AWS Cloud9 then repeated the test. Same results. So appears to not be just on macOS.

[Firgen2]

Same problem, any things?

[jhuckaby]

This happens a lot. False positives. See Issue #1715, and Issue #1540.

Try to report the EXE as a false positive. See here:

https://www.starmessagesoftware.com/blog/report-submit-false-positive-antivirus-software

[shunyun-bp]

So here's my concern: This is happening with a simple "hello world" script. It's not the script, it's PKG. Why do these keep getting closed, as if it's the problem of the user? I challenge anyone to create the smallest, simplest, most innocuous Nodejs script and package with PKG, see if the Windows binary is not flagged as a virus.

@jhuckaby how is reporting the exe as a false positive going to solve this issue? I use PKG extensively, creating CLI utilities every day and updating versions. Are you suggesting that I just make this a part of my pipeline?

[jhuckaby]

I suspect that at some point someone created an actual virus using pkg, and it got reported and cataloged in all the antivirus databases. The problem is, most pkg EXEs are like 99.99% Node.js runtime boilerplate, and 0.01% actual code. I think many antivirus software apps don't checksum the entire file, but instead look for signatures in blocks across the file, so they get an "almost 100%" positive result on one of our benign pkg EXEs, because most of the file blocks match the known virus.

This is a hairy problem.

Honestly, I think we need to flood the antivirus people with false positive reports, to get them to do something.

Are you suggesting that I just make this a part of my pipeline?

I believe you said this as a joke, but it honestly made me think. Could we actually do something like this? Like, "pre-whitelist" our PKG EXEs the moment they are minted.

Sort of like how Apple has their notarization process for macOS apps, I wonder if there is a way to notarize EXEs so they are "whitelisted" with antivirus apps?

Just brainstorming.

[shunyun-bp]

@jhuckaby LOL, no, was serious... To your point and brainstorming. Wondering the same thing. I compile on MacOS and TBH have never signed a utility in my life, so the first thing I think is "maybe it's time I learn..." I suspect the challenge is going to be how to sign all three platforms (Mac, Linux, Win). As to pipeline and flooding the av vendors with false positives, I suppose we could use the VirusTotal (or other) API to check, then auto-post or email to the complaining vendors. The worst, for the moment, is Google, as they don't seem to have a single api or email address for handling false positives. E.g. support@cyren.com, support@jiangmin.com, etc.

[shunyun-bp]

@jhuckaby followup, see 1655#issuecomment-1229241971 , wondering if use of Authenticode-JS may be the first step?

[jhuckaby]

@shunyun-bp Yeah, same here, I code on macOS, but I've never gone through the notarization process.

Authenticode-JS looks great! That's definitely worth checking out.

You know... I think the Electron app people have all this stuff already figured out -- multi-platform signing and notarization I mean. I wonder if we can copy how they do it, but apply it for pkg apps?

Oh wow, I'll bet there's even a GitHub Actions automation thingy for doing this stuff...

https://federicoterzi.com/blog/automatic-codesigning-on-windows-using-github-actions/

[shunyun-bp]

Oh wow, I'll bet there's even a GitHub Actions automation thingy for doing this stuff...

https://federicoterzi.com/blog/automatic-codesigning-on-windows-using-github-actions/

Oh, that looks promising! I'm going to give this a shot today...

[shunyun-bp]

update; authenticode-js won't parse windows executables compiled by pkg (at least, not for me.). After some searching, seems the only way to do this is to compile on Windows and sign on Windows. Still going to pursue the github actions.

[perrylets]

Has there been any development on this?

Just to clarify, when I say "development," I mean the situation, not necessarily code.