Today Windows Defender on two different Windows machines moved the mtrand.so file (SublimeText3_Packages\Packages\numpy\st3_osx_x64\numpy\random\mtrand.so) into quarantine because it contains the following Trojan:Win32/Bluteal.B!rfn.

Here the log, unfortunately it is in German:

Windows Defender:

Date: 2018-06-13 10:50:43.496
Description:
Von Windows Defender Antivirus wurde Schadsoftware oder andere potenziell unerwünschte Software erkannt.
Weitere Informationen:
https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Bluteal.B!rfn&threatid=2147727314&enterprise=0
Name: Trojan:Win32/Bluteal.B!rfn
ID: 2147727314
Schweregrad: Schwerwiegend
Kategorie: Trojaner
Pfad: file:_C:\Users\bine\Dropbox\SublimeText3_Packages\Packages\numpy\st3_osx_x64\numpy\random\mtrand.so
Erkennungsursprung: Lokaler Computer
Erkennungstyp: Konkret
Erkennungsquelle: Echtzeitschutz
Benutzer: NT-AUTORITÄT\SYSTEM
Prozessname: C:\Program Files\CrashPlan\CrashPlanService.exe
Signaturversion: AV: 1.269.1075.0, AS: 1.269.1075.0, NIS: 1.269.1075.0
Modulversion: AM: 1.1.14901.4, NIS: 1.1.14901.4

I just uploaded the file to VirusTotal. First it said it is safe and the file was last checked 13 days ago. I selected analyze again and 1 of 60 scanners found the trojan. On VirusTotal it was also Windows Defender that found the trojan.

I guess it could be a false alarm. Here is the link to the Virus Total summary:

https://www.virustotal.com/de/file/60a6b90e6a6d2449516ec743a39641109f4b896246aecb563ce71003059253f0/analysis/1528903087/

Another question: why is an OSX package on a Windows machine? Either is the naming wrong or would those python binaries also run under Windows?

numpy can be found here: https://github.com/komsit37/sublime-numpy

I am not an expert, but I think package control always downloads the whole repository and just uses the windows sources instead of only downloading the windows sources (which would also be a little complicated).

“unfortunately German” ? Is this forum a pro-trump venue for systematic child abduction and foster gang marketing since pro-tump venue has just criminalized parents for trying to protect children? WRONG direction for Sublime. T-r-a-n-s-l-a-t-o-r ! Learn how !!

Von Windows Defender Antivirus wurde Schadsoftware oder andere potenziell unerwünschte Software erkannt.
Windows Defender Antivirus detected Malware or other potentially unwanted Software.

Sublime numpy is an unusual Git. No Readme, meaning Readme was deleted by Git author. Apple recently identified Sublime theme Bamboo as malware, macOS equivalent of virus. Email to Bamboo author who has not deleted his Git Readme resulted almost immediate cleanup and like most Sublime plugins works excellently. This post is not attempt to blame any plugin contributors, even devious numpy contributor (s) / bot ? I think the problem is the gateway into Sublime - who is watching over Sublime ? For that matter, how can plugins be regulated to remove threats. Before threads like this one have to surface !!! Sublime developers will naturally note that we are all ‘friendly’ public developers, and amply conditioned to police plugins by ourselves. Its a dirty world out there…

Still, especially in this case it is clear to me that Sublime Text’s developers must deploy their own bot to police plugins. Do we need a Sublime Forum Catagory, “Security of Sublime” ? That might invite more deviant harm, than benefit for users and the Sublime Teams.