opencode icon indicating copy to clipboard operation
opencode copied to clipboard
Published 1 week ago verified publisher icon anomalyco

Running opencode is flagged as trojan on windows - Installed through Node Package Manager

Open Xavier-Burger opened this issue 2 weeks ago • 5 comments

Description

I have been using opencode throughout the week on my work machine, it has been great. Today in between sessions opencode outomatically updated as per my config, and from then on it has been marked as triggering a trojan called wacatac.h!ml

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Trojan%3AScript%2FWacatac.H!ml&threatid=2147814524

I have had issues with auto-update before, where my commandline would complain that the installed version was not valid. It went away after re-installing through npm -g

I am on Windows, I use Wezterm as my terminal, with PowerShell 7 as my shell.

I am not looking forward to explaining this one to IT at work 😅

Plugins

None

OpenCode version

v1.1.12

Steps to reproduce

  1. Begin in windows, in a Wezterm terminal running powershell
  2. install v1.1.11 via npm -g install opencode.ai
  3. Configure the opencode.jsonc to allow autoupdate
  4. Wait for autoupdate
  5. restart opencode via /exit, then opencode
  6. Observe windows defender notification about a trojan detected.

Screenshot and/or share link

Full testing, with uninstall / re-install test. I was using 1.1.11 previously, it was fine. This broke after the autoupdate

Image

Operating System

Windows 11

Terminal

Wezterm

Xavier-Burger avatar Jan 10 '26 15:01 Xavier-Burger

This issue might be a duplicate of existing issues. Please check:

  • #7592: [False Positive?] Windows Defender detects Trojan:Win32/Wacatac.H!ml when running opencode (reported same day with same detection)
  • #3415: Windows Defender falsely flags new releases as trojans (tracking recurring false positives with mitigation plans)
  • #3406: v0.15.16 was infected by a virus and removed by Windows Security (similar Wacatac detection)

These issues discuss the same Windows Defender heuristic detection and potential solutions including code signing and submitting false positives to Microsoft.

Feel free to ignore if your specific case differs from these reports.

github-actions[bot] avatar Jan 10 '26 15:01 github-actions[bot]

I have tested each of the recent releases to find one that does not cause the false positive. It seems 1.1.8 is ok, ~1.1.10+ is triggering the issue.~

EDIT: After looking into similar issues raised, this seems to be a heuristic based flagging. I am leaving this issues open as in my case I installed through npm, not through the downloadable package. I cannot whitelist the file, because this is my work machine and is pretty locked down.

For those stuck, run the below powershell commands (individually) to clear the temp folder, and install 1.1.8 explicitely. Also make sure to update your config to not autoupdate.

~\.config\opencode\opencode.jsonc:

{
  "$schema": "https://opencode.ai/config.json",
  "autoupdate": false,
  // Rest of you configuration...
}

Clearing temp and installing 1.1.8:

Remove-Item -Path "$env:LOCALAPPDATA\Temp\*" -Recurse -Force -ErrorAction SilentlyContinue
npm uninstall -g opencode-ai
npm install -g [email protected]
refreshenv
npm list -g --depth=0
opencode

Xavier-Burger avatar Jan 10 '26 16:01 Xavier-Burger

This workaround is extremely useful, @Xavier-Burger! Thx a lot!

markusbegerow avatar Jan 11 '26 07:01 markusbegerow

Yesterday, Defender gave me the false positive on version 1.1.12 I disabled auto-update. (see previous post https://github.com/anomalyco/opencode/issues/7655#issuecomment-3733104534) I installed 1.1.8, which seemed fine, but today I had the same false positive with 1.1.8. I installed 1.1.13, with the same false positive. At every step, I uninstalled, cleaned, and reinstalled using npm, (see previous post https://github.com/anomalyco/opencode/issues/7655#issuecomment-3733104534)

My "temporary" solution was to exclude some files from the Defender \Local\Temp\ folder It may not be the final solution but for now it works.

In Administrator level PowerShell, use these commands one after the other.

Add-MpPreference -ExclusionPath "C:\Users\YOUR-USER\AppData\Local\Temp\*-00000000.dll"

Add-MpPreference -ExclusionPath "C:\Users\YOUR-USER\AppData\Local\Temp\*-00000001.dll"

Add-MpPreference -ExclusionPath "C:\Users\YOUR-USER\AppData\Local\Temp\*-00000002.dll"

Add-MpPreference -ExclusionPath "C:\Users\YOUR-USER\AppData\Local\Temp\*-00000003.dll"

at this point you can reactivate opencode auto-update. (see previous post https://github.com/anomalyco/opencode/issues/7655#issuecomment-3733104534 )

In case, If you want to check what is excluded from defender usa: Get-MpPreference | Select-Object -ExpandProperty ExclusionPath

to remove from defender exclusions in the future use: Remove-MpPreference -ExclusionPath "C:\Users\YOUR-USER\AppData\Local\Temp\*-00000000.dll" and 001 002 003.

Molder72 avatar Jan 11 '26 15:01 Molder72

Even 1.1.8 gets now blocked on my machine. As its a corporate device, I am now stuck.. is there any other workaround or is someone trying to work around this issue?

Update: 1.1.7 works for me

repolevedavaj avatar Jan 11 '26 20:01 repolevedavaj