Discourse updates - Microsoft Defender reports detection of Wacatac malware

Support
6

Thanks for the extra info!

@mwaniki helped me to do some checks on this. The first file you shared is a cache of the lefthook binary:

$ md5sum /home/discourse/.local/share/pnpm/store/v3/files/1e/a9a94e4c7f5e4b8e407d5bbbec51f6167dd6470f9e9c6b41b3f99facbe9749c0c1a60f6cac13a74d7e09482601470bea436265eccd6091e0767ff9b05e66eb-exec
8bfaa34901d5a7b34090b3a862793f90  /home/discourse/.local/share/pnpm/store/v3/files/1e/a9a94e4c7f5e4b8e407d5bbbec51f6167dd6470f9e9c6b41b3f99facbe9749c0c1a60f6cac13a74d7e09482601470bea436265eccd6091e0767ff9b05e66eb-exec
$ find /var/www/discourse/node_modules/ -type f -exec md5sum {} + | grep '^8bfaa34901d5a7b34090b3a862793f90'
8bfaa34901d5a7b34090b3a862793f90  node_modules/.pnpm/lefthook-linux-x64@1.10.8/node_modules/lefthook-linux-x64/bin/lefthook

The second is esbuild:

$ md5sum /home/discourse/.local/share/pnpm/store/v3/files/23/f5520e308f56ab79324ef0ea1249acf7aa09f192d1b5e5599b3b284e46f1e6c0d6d58707b63a9c965399930b6148639ef2bd6d1d4d55343448ba42b4535440-exec
25b47c7a561185d07c8c3d98ade527af  /home/discourse/.local/share/pnpm/store/v3/files/23/f5520e308f56ab79324ef0ea1249acf7aa09f192d1b5e5599b3b284e46f1e6c0d6d58707b63a9c965399930b6148639ef2bd6d1d4d55343448ba42b4535440-exec
$ find node_modules/ -type f -exec md5sum {} + | grep '^25b47c7a561185d07c8c3d98ade527af'
25b47c7a561185d07c8c3d98ade527af  node_modules/.pnpm/@esbuild+linux-x64@0.24.2/node_modules/@esbuild/linux-x64/bin/esbuild
25b47c7a561185d07c8c3d98ade527af  node_modules/.pnpm/esbuild@0.24.2/node_modules/esbuild/bin/esbuild

Those md5 hashes correspond to the published versions on npm, so we can be confident that they haven’t been tampered with between the registry and your installation:

$ curl -s https://registry.npmjs.org/@esbuild/linux-x64/-/linux-x64-0.24.2.tgz | tar -Oxzf - package/bin/esbuild | md5sum
25b47c7a561185d07c8c3d98ade527af  -
$ curl -s https://registry.npmjs.org/lefthook-linux-x64/-/lefthook-linux-x64-1.10.8.tgz | tar -Oxzf - package/bin/lefthook | md5sum
8bfaa34901d5a7b34090b3a862793f90  -

So I think this has to be a false positive from Microsoft Defender. Removing esbuild from your Discourse installation will cause issues, so I’d recommend against that.

Searching online, it seems like Microsoft Defender falsely alerting against npm packages is fairly common. Here’s an example of a false detection of esbuild in the past.