Discourse updates - Microsoft Defender reports detection of Wacatac malware

Hi,

We have a self-hosted instance of Discourse on a virtual machine and after applying most recent Discourse updates v3.4.0.beta3 +431we have received alert from Microsoft Defender about Wacatac malware:

image1625×1245 210 KB

We have removed the file, restarted the virtual machine and now we´re waiting for another scan to run. This has already happened on December 2024 when we were pulling most recent Discourse updates.
It seems that Wacatac is somehow coming via Discourse updates or it might also be a false positive…

Is anyone else facing this issue?

Please can you let us know the full path of the file it detected?

var/lib/docker/overlay2/d5d34d6148be507180106dc3b39b8b3d266b5e221fd5df48ce023df57186d4ef/diff/home/discourse/.local/share/pnpm/store/v3/files

(we always find it here)

.../pnpm/store/v3/files is a directory. Do you have the name of the specific file as well?

/var/lib/docker/overlay2/93cd7bbb9de06047b645e0b7e3fd788546257d0b2d980e21df3cb0c5c802e80f/diff/home/discourse/.local/share/pnpm/store/v3/files/1e/a9a94e4c7f5e4b8e407d5bbbec51f6167dd6470f9e9c6b41b3f99facbe9749c0c1a60f6cac13a74d7e09482601470bea436265eccd6091e0767ff9b05e66eb-exec

And for the one from December 2024:
/var/lib/docker/overlay2/d5d34d6148be507180106dc3b39b8b3d266b5e221fd5df48ce023df57186d4ef/diff/home/discourse/.local/share/pnpm/store/v3/files/23/f5520e308f56ab79324ef0ea1249acf7aa09f192d1b5e5599b3b284e46f1e6c0d6d58707b63a9c965399930b6148639ef2bd6d1d4d55343448ba42b4535440-exec

Thanks for the extra info!

@mwaniki helped me to do some checks on this. The first file you shared is a cache of the lefthook binary:

$ md5sum /home/discourse/.local/share/pnpm/store/v3/files/1e/a9a94e4c7f5e4b8e407d5bbbec51f6167dd6470f9e9c6b41b3f99facbe9749c0c1a60f6cac13a74d7e09482601470bea436265eccd6091e0767ff9b05e66eb-exec
8bfaa34901d5a7b34090b3a862793f90  /home/discourse/.local/share/pnpm/store/v3/files/1e/a9a94e4c7f5e4b8e407d5bbbec51f6167dd6470f9e9c6b41b3f99facbe9749c0c1a60f6cac13a74d7e09482601470bea436265eccd6091e0767ff9b05e66eb-exec
$ find /var/www/discourse/node_modules/ -type f -exec md5sum {} + | grep '^8bfaa34901d5a7b34090b3a862793f90'
8bfaa34901d5a7b34090b3a862793f90  node_modules/.pnpm/lefthook-linux-x64@1.10.8/node_modules/lefthook-linux-x64/bin/lefthook

The second is esbuild:

$ md5sum /home/discourse/.local/share/pnpm/store/v3/files/23/f5520e308f56ab79324ef0ea1249acf7aa09f192d1b5e5599b3b284e46f1e6c0d6d58707b63a9c965399930b6148639ef2bd6d1d4d55343448ba42b4535440-exec
25b47c7a561185d07c8c3d98ade527af  /home/discourse/.local/share/pnpm/store/v3/files/23/f5520e308f56ab79324ef0ea1249acf7aa09f192d1b5e5599b3b284e46f1e6c0d6d58707b63a9c965399930b6148639ef2bd6d1d4d55343448ba42b4535440-exec
$ find node_modules/ -type f -exec md5sum {} + | grep '^25b47c7a561185d07c8c3d98ade527af'
25b47c7a561185d07c8c3d98ade527af  node_modules/.pnpm/@esbuild+linux-x64@0.24.2/node_modules/@esbuild/linux-x64/bin/esbuild
25b47c7a561185d07c8c3d98ade527af  node_modules/.pnpm/esbuild@0.24.2/node_modules/esbuild/bin/esbuild

Those md5 hashes correspond to the published versions on npm, so we can be confident that they haven’t been tampered with between the registry and your installation:

$ curl -s https://registry.npmjs.org/@esbuild/linux-x64/-/linux-x64-0.24.2.tgz | tar -Oxzf - package/bin/esbuild | md5sum
25b47c7a561185d07c8c3d98ade527af  -
$ curl -s https://registry.npmjs.org/lefthook-linux-x64/-/lefthook-linux-x64-1.10.8.tgz | tar -Oxzf - package/bin/lefthook | md5sum
8bfaa34901d5a7b34090b3a862793f90  -

So I think this has to be a false positive from Microsoft Defender. Removing esbuild from your Discourse installation will cause issues, so I’d recommend against that.

Searching online, it seems like Microsoft Defender falsely alerting against npm packages is fairly common. Here’s an example of a false detection of esbuild in the past.

Thanks so much @david and @mwaniki!

We will now try to reach out to Microsoft Defender´s support team and share their feedback if/when we get one.