Skip to content

Potential Security Concern: node-gyp.dll Flagged as Trojan:Win32/Wacatac.H!ml by Windows Defender #44

New issue
New issue
Closed
Closed
Potential Security Concern: node-gyp.dll Flagged as Trojan:Win32/Wacatac.H!ml by Windows Defender#44
@seckinyasar

Description

@seckinyasar
seckinyasar
opened on Jul 18, 2025

Potential Security Concern: node-gyp.dll Flagged as Trojan:Win32/Wacatac.H!ml by Windows Defender

Description

While installing the napi-postinstall@0.3.1 package on a Windows 11 system, Windows Defender flagged the node-gyp.dll file as a potential threat, identifying it as Trojan:Win32/Wacatac.H!ml.

Details

  • Operating System: Windows 11
  • Defender Detection: Trojan:Win32/Wacatac.H!ml
  • File Path: node_modules/napi-postinstall/node-gyp.dll
  • Package: napi-postinstall@0.3.1
  • Initial Detection Time: 7/18/2025 9:02:27 PM GMT+3

Steps to Reproduce

  1. Install the napi-postinstall@0.3.1 package using npm or yarn on a Windows 11 system.

    npm install napi-postinstall@0.3.1

  2. Note that Windows Defender flags the node-gyp.dll file located in node_modules/napi-postinstall/node-gyp.dll as Trojan:Win32/Wacatac.H!ml.

Environment

  • Node.js Version: v21.5.0
  • npm Version: 10.2.4
  • System Architecture: 64-bit
  • Windows Security Details:
    • Windows Security Application Version: 1000.27840.0.1000
    • Windows Security Service Version: 10.0.27840.1000-0
    • Antimalware Client Version: 4.18.25050.5
    • Engine Version: 1.1.25050.6
    • Antivirus Version: 1.431.724.0
    • AntiSpyware Version: 1.431.724.0

PowerShell Threat Detection Output

Below is the output from Get-MpThreatDetection in PowerShell, showing details of the detected threat:

ActionSuccess                  : True
AdditionalActionsBitMask       : 8
AMProductVersion               : 4.18.25050.5
CleaningActionID               : 2
CurrentThreatExecutionStatusID : 0
DetectionID                    : {2A87BF9F-BBA1-4111-8180-0886692E30D5}
DetectionSourceTypeID          : 2
DomainUser                     : NT AUTHORITY\SYSTEM
InitialDetectionTime           : 7/18/2025 9:02:27 PM
LastThreatStatusChangeTime     : 7/18/2025 9:02:52 PM
ProcessName                    : Unknown
RemediationTime                : 7/18/2025 9:02:52 PM
Resources                      : {file:_c:\users\placeholder\desktop\db-open-source-neondb-edge\examples\with-nextjs-prisma\node_modules\napi-postinstall\node-gyp.dll}
ThreatID                       : 2147814524
ThreatStatusErrorCode          : 0
ThreatStatusID                 : 3
PSComputerName                 :

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions