I checked penpot version 2.7.2 and imurmurhash is still used. Does the team plan to take actions or to replace imurmurhash?
ClamAV 1.3.1 does not detect the trojan in the penpot frontend.
ClamAV get the false positive for penpot backend and exporter in imurmurhash-npm-0.1.4-610c506a0-10c0.zip
These are the locations ClamAV indicated.
exporter:
/opt/penpot/exporter/node_modules/imurmurhash/imurmurhash.min.js: PUA.Win.Trojan.Xored-1 FOUND
/opt/node/lib/node_modules/npm/node_modules/imurmurhash/imurmurhash.min.js: PUA.Win.Trojan.Xored-1 FOUND
backend:
/opt/node/lib/node_modules/npm/node_modules/imurmurhash/imurmurhash.min.js: PUA.Win.Trojan.Xored-1 FOUND