Downloading one of the assets of the current release (2.0.4) lead to a security warning by Microsoft Defender Antivirus:

Trojan:Script/Wacatac.H!ml
file: C:\Users\xxxxx\Downloads\materialize-v2.0.4.zip->materialize/js/materialize.js

Trojan:Script/Wacatac.H!ml
file: C:\Users\xxxxx\Downloads\materialize-src-v2.0.4.zip->materialize-src/js/bin/materialize.js

I don't know if it's a false positive, but it might be worth investigating.

Hi, could you verify that you've downloaded it from github? So far, based on this reddit post, this type of trojan is being flagged and have multiple false positive. I scanned the files on VirusTotal and could confirm there's no viruses detected.

VirusTotal scanned links:
materialize-v2.0.4: https://www.virustotal.com/gui/url/7b9046e977051c9f83573d89c224a418cce1bc50cb0f428104744fd2bd8a31c1
materialize-src-v2.0.4: https://www.virustotal.com/gui/url/fcaa99a78b62c7ec8d325d72b3686961aaf3b0d4626f98124a5741d22a4de951
materialize.js (src & non-src): https://www.virustotal.com/gui/file/782e94753a0d4bca82801a457486f137a3094dc74d3c4bf9eef8c149bfba2a5c

I don't know any way to technically confirm it but I just repeated the process again (download from GitHub) and I get the same warning.
I also had the feeling that it was a false positive. But now I'm curious what is suddenly triggering this message.

I don't know any way to technically confirm it but I just repeated the process again (download from GitHub) and I get the same warning.

I also had the feeling that it was a false positive. But now I'm curious what is suddenly triggering this message.

Yeah. I wouldn't trust much from Microsoft's side of antivirus. If you have more trusted antivirus (ex. Kaspersky or even Windows's bloatware antivirus McAfee) would yield better results. From the reddit, they said VirusTotal is quite trusted. And from VirusTotal also includes scans from Microsoft. Just let the computer a while and it should resolve later.

update: A report has been submitted to Microsoft regarding the issue. It seems like it is targeting many public repository on js-based libraries. Some has linked this repository to mention about the false-positives the new Microsoft Defender update. I'll update when it is resolved.

Hey guys, thanks for the quick investigation.

I updated the compression library via npm during the last release 2.0.4. Can this cause the issue? From my point of view, we can leave out the process of generating zip files completely.

Should we remove the zipping, what do you think?

A quick update, Microsoft has resolved at their end regarding the false positives. It should reflect later on when the next update comes.

The problem is fixed on my side, thx for the quick reaction.
@wuda-io I don't think that you should change your release workflow based on this.

@wuda-io I don't think that you should change your release workflow based on this.

Agreed.