Possible malware in blitzsearch plugin

[WyattTheSkid]

I was downloading some of these and google chrome stopped me from downloading the blitz search one. I decided to turn off windows defender and upload the dll to virustotal and I saw a huge number of detections. Here is the issue I opened on their repo. It's possible someone could have been compromised so I'm not saying that I necessarily think this was intentional. Natestah/BlitsNppPlugin#3

Here is the virustotal report: https://www.virustotal.com/gui/file/3a2f63596116d45352b7dc360441343fbb772e43f3ee554baffd367d6270dc06

I suggest that this plugin be removed from the list or at least labelled as proceed with caution for now until this is addressed. I am aware that false positives are a thing absolutely, but the nature of these detections imply that the dll is crypted and there are 41 of them whereas my comfortable threshold for false positives is usually no more than like 7. Just wanted to put this out there, be safe everybody.

[chcg]

@rdipardo You already had a look on this with Natestah/BlitsNppPlugin#1 . What do you think is this actually infected dll?

[rdipardo]

@chcg

What do you think is this actually infected dll?

My issue was about BlitzSearch v1.0.0.0, published May 30, 2024, the only version available at the time. (Look at the File Version under the Details tab of the Virus Total report the OP shared.)

As of today Windows Defender is still intercepting downloads of the original artifact:

https://github[.]com/Natestah/BlitsNppPlugin/releases/download/InitialRelease/BlitzSearch[.]dll

#811 updated BlitzSearch to 1.0.0.3. Downloading a zipball of that version does not trigger the AV for me.¹

I uploaded a copy of v1.0.0.3 to Virus Total. The score is bad, but that's probably because it shares mostly identical code with the corrupt v1.0.0.0 DLL.

I would say there's nothing to be done as far as the PluginList is concerned. If you start banning plugins based on AV scores, you would have to do the same for Don Ho's NppPluginTemplate (which Windows Defender also doesn't trust: notepad-plus-plus/notepad-plus-plus#16147), and who-knows-how-many others.

Footnotes

1. Trying to use v1.0.0.3 reveals other problems, however. Only 2 of the 3 programmed plugin commands appear in the menu; both of the them do nothing but navigate to the author's homepage, as the missing third command is supposed to do. I built BlitzSearch from git and it has the same problem, so at least we know the release artifacts have not been tampered with. ↩

[molsonkiko]

I also think this plugin should be removed from the plugin list. My CI build failed for my most recent PR because the SHA-256 digest for the 64-bit BlitzSearch DLL didn't match the expected value.

[chcg]

Latest tag https://github.com/Natestah/BlitsNppPlugin/releases/tag/v1.0.0.6 is built via GH action now. So there is most likely no local manipulation in the plugin anymore.