Imurmurhash.min.js: PUA.Win.Trojan.Xored-1 FOUND

Hi!
When running ClamAV 1.3.1 i get the following:

Penpot2.5.2/penpot-backend-2.5.2.tar/blobs/…/opt/node_modules/imurmurhash.min.js: PUA.Win.Trojan.Xored-1 FOUND

I asked a “friend” and it indicate false positive, but also that there seem to be better alternatives to imurmurhash.min.js

Can you consider replacing imurmurhash.min.js with some other hashing library?

Hello @Lars

Yes, this is a common false positive as you can see in here more information here: GitHub · Where software is built

Anyway, our team will look into it to decided if we need to take any actions or replacing the library. Thanks for reporting this.

Thank you for clarifying and for looking into it further.
Thanks!

Hi @carolina.portugal !

I checked penpot version 2.7.2 and imurmurhash is still used. Does the team plan to take actions or to replace imurmurhash?

ClamAV 1.3.1 does not detect the trojan in the penpot frontend.

ClamAV get the false positive for penpot backend and exporter in imurmurhash-npm-0.1.4-610c506a0-10c0.zip

These are the locations ClamAV indicated.
exporter:
/opt/penpot/exporter/node_modules/imurmurhash/imurmurhash.min.js: PUA.Win.Trojan.Xored-1 FOUND
/opt/node/lib/node_modules/npm/node_modules/imurmurhash/imurmurhash.min.js: PUA.Win.Trojan.Xored-1 FOUND

backend:
/opt/node/lib/node_modules/npm/node_modules/imurmurhash/imurmurhash.min.js: PUA.Win.Trojan.Xored-1 FOUND

Hey @Lars, the team look into it and decided that we don’t need to replace it.

Ok. Thanks for checking.