Malware detected in wakatime-cli for Windows

[markvandenbrink]

Actual behavior (what went wrong):
According to Windows Defender, the latest version of the wakatime-cli contains malware (PUA:Win32/Caypnamer.A!ml). I first noticed this using the Wakatime extension in Visual Studio Code. When I directly download the latest release of the windows version from this repo (https://github.com/wakatime/wakatime-cli/releases/download/v1.37.0/wakatime-cli-windows-amd64.zip), the ZIP file gets immediately marked/blocked. I hope this is a false positive. Otherwise, this could be a serious problem...

Environment:
Windows 11

Logs:

[arturohernandez10]

Same thing happened to me. I believe it's just suspecting wakatime to be a trojan. As I use VSCODE, the command prompt appears asking me to enter my API code. Essentially the HTTP call gets blocked. Just to be sure. I'll let Microsoft Defender block it for now,

[alanhamlett]

This has happened before, and usually is fixed in a few days after we submit a request to MS. I'll let you know when we receive a reply.

[alanhamlett]

We've asked Microsoft to unblock it, will update when we receive more info.

[alanhamlett]

Should be fixed now, but you may need to update your malware definitions for it to take affect:

1. Open command prompt as administrator and change directory to c:\Program Files\Windows Defender
2. Run “MpCmdRun.exe -removedefinitions -dynamicsignatures”
3. Run "MpCmdRun.exe -SignatureUpdate"

---

[aggietallboy]

Seems to have cleaned mine up as well. I wasn't seeing any activity in my PUP screen, but it seems to have been preventing access.

I'm not seeing the API/Access error..

[Extension Host] [Guides] Error while sending usage statistics: Error: connect ETIMEDOUT 54.209.32.212:443
console.ts:137 [Extension Host] [Guides] Usage statistics will retry in the next 5 minutes

but probably just need a restart or two to clean that up

[aggietallboy]

yep.. restart cleaned it up, thanks!!

[markvandenbrink]

Thanks, @alanhamlett for the quick follow-up! Glad to hear it's just a false positive.

[pkrakowiak]

I encountered this problem this morning. I ran the Windows Defender commands described above and restarted my PC but it did not help. WD is still reporting a trojan.

[markvandenbrink]

Same problem over here. I've updated the malware definition a few days ago and it worked properly. But today it started reporting again... I noticed the definitions were updated today. So apparently the Defender definitions version 1.359.811.0 thinks this is malware again 🙁

[egeakman]

Same here. Signature version: 1.359.823.0

[alanhamlett]

We released v1.38.0 and it got incorrectly detected as malware. I'll post updates for this new incident to #660.

[alanhamlett]

Version 1.40.0 was just released. Please let us know if you encounter this malware prompt again!

[alanhamlett]

Future discussions moved to #660.