anomalyco
Your installer file on your website is distributing malware
Description
The download link button then windows install - the exe installer has been infected with malware.
Plugins
No response
OpenCode version
No response
Steps to reproduce
No response
Screenshot and/or share link
No response
Operating System
No response
Terminal
No response
This issue might be a duplicate of existing issues. Please check:
- #3406: v0.15.16 was infected by a virus and removed by Windows Security
- #7655: Running opencode is flagged as trojan on windows - Installed through Node Package Manager
- #1103: opencode-windows-x64.zip file contains virus
- #3415: Windows Defender falsely flags new releases as trojans
These issues describe similar Windows Defender/Security detections of malware (primarily Trojan:Script/Wacatac variants) related to OpenCode releases. It appears this is a known recurring issue that the team is actively working to address with code signing and other measures.
Feel free to ignore if this describes a different specific case.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Maybe - but it’s NOT a signing issue - it’s self replicating and definitely a virus. Claude code scanned its files in the temp folder
I think this is a false positive, what are you referring to that was causing issues in temp folder?
No it is not a false positive.
I’ve double checked and it is absolutely malware.
And these guys KNEW.
It’s been flagged before and nothing was fixed.
Now I’ve had to completely wipe my device and lost days of work.
CRITICAL: This is MALWARE File: C:\users\melba\AppData\Local\Temp.7cdd8f5e2b77f7b9-00000000.node Why it’s malware: 1. Naming pattern matches known malware - .GUID-00000000.node is identical to Trojan pattern 2. Created during infection - 1:53 PM today (same timeframe as malware detection) 3. No digital signature - NotSigned 4. Large size - 3.6 MB, unusual for a temp Node.js addon 5. Hash identified - specific malware signature
This is a common windows defender L. This can trigger for archives with no binaries whatsoever.
WIndows defender is nothing but trouble - disable it.
Naturally, claude is clearly incorrect. You asked it and from your question an LLM will try to answer positively using whatever it can find. They are not trained to answer no and to disprove.
CRITICAL: This is MALWARE File: C:\users\melba\AppData\Local\Temp.7cdd8f5e2b77f7b9-00000000.node Why it’s malware:
- Naming pattern matches known malware - .GUID-00000000.node is identical to Trojan pattern
- Created during infection - 1:53 PM today (same timeframe as malware detection)
- No digital signature - NotSigned
- Large size - 3.6 MB, unusual for a temp Node.js addon
- Hash identified - specific malware signature
Instead of relying on llm hallucinations, Google the old fasion way. There's a reason the detection is inconsistent on different open code versions, the temp dll and node files are being heuristically detected as Trojans. Look into the contributors behind opencode, these people aren't malicious or idiots.
@melbazpeach-source Just to be fair, could you please upload the file to https://www.virustotal.com/gui/home/upload?
I have completely wiped my 2week old computer now. So as soon as your installer hit my system, it: Tried to install 10 copies of itself. It hammered my security. Security stopped 9. 1 version got through. In the 10 seconds it took for me to take my system offline, it had already created 5 replicas of uts payload in my temp drive. It had altered group policy And it had changed the date on all the files it touched to tomorrow’s date.
So honestly? I don’t know if that’s what your code is supposed to do but common sense says it’s not. If it is, I apologise.
The fact you are all fobbing it off as false positive, and letting peoples machines get fkd over, is not doing much for the UX nor trustworthiness of your products tbh.
Upload to virustotal. What you are describing has nothing to do with what opencode does.
By install you mean this? curl -fsSL https://opencode.ai/install | bash
Windows installer:
https://www.virustotal.com/gui/file/3fcb5f22adbfa3ef280d8aaae529148e56853e62b3bfdad16b321dc651475561
It seems that the installer archive is clean: https://www.virustotal.com/gui/file/8AB962BEF658B7E003DD0B982EE912F1EFD9FAADB988AA28582E9E0D2976D76C/detection
opentui.dll depenency is tripping up the windows 666 beast
when cloning the source code windows quickly quarantines the node_modules/opentui/opentui.dll
@4cecoder You got lucky. This is what I got :-(
See [attached]
Free Automated Malware Analysis Service - powered by Falcon Sandbox - Viewing on.pdf
I'm old enough to remember when people cared about infections on their PC. Hell, I remember when people valued their privacy and rights as well. I read the report. It's a big enough red flag for me. Do better.
i just went through everything that was posted here
nothing stands out to me - opencode has a binary dep called opentui which gets extracted on first run to a .dll and then called into with FFI
seems like some scans look at this and feel like it's similar behavior to malware
if someone can point to something more specific we're happy to take a look - i've checked our CI process and nothing has changed
same binaries produced as always
additionally everyone here is trying to help your issue - being insulting isn't particularly helpful
one thing that did stand out was this path
"H:\baidu\netdisk\pc-international-unite\src\node_modules\uiohook-napi"
this is what your security report is about - i don't know what this is and it's unrelated to opencode
is this your project?