opencode icon indicating copy to clipboard operation
opencode copied to clipboard
Published 8 hours ago verified publisher icon anomalyco

Running opencode is flagged as trojan on windows - Installed through Node Package Manager

Open Xavier-Burger opened this issue 4 days ago • 5 comments

Description

I have been using opencode throughout the week on my work machine, it has been great. Today in between sessions opencode outomatically updated as per my config, and from then on it has been marked as triggering a trojan called wacatac.h!ml

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Trojan%3AScript%2FWacatac.H!ml&threatid=2147814524

I have had issues with auto-update before, where my commandline would complain that the installed version was not valid. It went away after re-installing through npm -g

I am on Windows, I use Wezterm as my terminal, with PowerShell 7 as my shell.

I am not looking forward to explaining this one to IT at work 😅

Plugins

None

OpenCode version

v1.1.12

Steps to reproduce

  1. Begin in windows, in a Wezterm terminal running powershell
  2. install v1.1.11 via npm -g install opencode.ai
  3. Configure the opencode.jsonc to allow autoupdate
  4. Wait for autoupdate
  5. restart opencode via /exit, then opencode
  6. Observe windows defender notification about a trojan detected.

Screenshot and/or share link

Full testing, with uninstall / re-install test. I was using 1.1.11 previously, it was fine. This broke after the autoupdate

Image

Operating System

Windows 11

Terminal

Wezterm

Xavier-Burger avatar Jan 10 '26 15:01 Xavier-Burger