anomalyco
Threat Found. Trojan:Script/Wacatac.H!ml
Description
Tried to open using Wezterm. typing opencode on console and press enter Windows Defender showing threat pop up Opencode is not opening.
Plugins
No response
OpenCode version
1.1.8
Steps to reproduce
Tried to open using Wezterm. typing opencode on console and press enter Windows Defender showing threat pop up Opencode is not opening.
Screenshot and/or share link
No response
Operating System
Windows 11
Terminal
Wezterm
This issue might be a duplicate of existing issues. Please check:
- #7655: Running opencode is flagged as trojan on windows - Same Wacatac.H!ml detection on Windows 11 with Wezterm
- #7592: [False Positive?] Windows Defender detects Trojan:Win32/Wacatac.H!ml - Same trojan detection blocking OpenCode
- #3415: Windows Defender falsely flags new releases as trojans - Umbrella issue tracking recurring Wacatac false positives
- #3406: v0.15.16 was infected by a virus and removed by Windows Security - Same Wacatac trojan family issue
- #1103: opencode-windows-x64.zip file contains virus - Older report of Windows antivirus blocking OpenCode
This appears to be part of a recurring pattern of Windows Defender false positives. Feel free to ignore if your specific case differs.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
It seems that the installer archive is clean: https://www.virustotal.com/gui/file/8AB962BEF658B7E003DD0B982EE912F1EFD9FAADB988AA28582E9E0D2976D76C/detection.
Same error: Windows Defender detects Trojan:Script/Wacatac.H!ml
affected elements file: C:\TMP.3aebb6a10f17efcd-00000001.dll
and blocks opencode 😱
More about Trojan https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Trojan%3AScript%2FWacatac.H!ml&threatid=2147814524
affected elements file: C:\TMP.3aebb6a10f17efcd-00000001.dll
The dll's name is different every time which makes it impossible to add as exclusion in Windows Defender/Security. So yeah, "just ignore it" LOL...
The only way I was able to continue using OpenCode was to uninstall it, then install the previous version 1.1.7 But before you launch it, set "autoupdate" : "notify" in ~/.config/opencode/opencode.jsonc If you don't, OpenCode will auto upgrade to the latest on launch and get blocked again.
Same error: Windows Defender detects Trojan:Script/Wacatac.H!ml
affected elements file: C:\TMP.3aebb6a10f17efcd-00000001.dll
and blocks opencode 😱
More about Trojan https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Trojan%3AScript%2FWacatac.H!ml&threatid=2147814524
OK, so VirusTotal identifies THREE different threats in this DLL (the DLL name is different every time you try and run the latest openCode, which is suspicious on its own). I know false positives for OpenCode is a regular occurrencee, but on this occasions, think this deserves a serious look from the developers. https://www.virustotal.com/gui/file/c7155d1809bf7036fdff80f1d362183c8130ae4714951d78e0f0615a5bc83bc9
It seems that the installer archive is clean: https://www.virustotal.com/gui/file/8AB962BEF658B7E003DD0B982EE912F1EFD9FAADB988AA28582E9E0D2976D76C/detection.
You've checked the installer, but it's not the installer that triggers the threat detection. It's this DLL and only when you launch OpenCode: https://www.virustotal.com/gui/file/c7155d1809bf7036fdff80f1d362183c8130ae4714951d78e0f0615a5bc83bc9