> More concerning than the detections is the observed behavior: - Random cmd.exe processes spawning periodically - Persistent background activity - BitLocker recovery triggered after offline virus scan - Suspicious network connections
Your own links disprove this. "No relevant DNS requests were made.", "No relevant hosts were contacted.", "No relevant HTTP requests were made."
> This goes beyond typical false-positive behavior seen with some Chinese development tools (which sometimes lack proper code signing or use aggressive system access).
No, it doesn't.
> Two possibilities: 1. Supply chain compromise - their dl.sipeed.com server is serving modified binaries 2. Aggressive false positive (seems less likely given the behavioral indicators)
One possibility: a regular false positive and a guy who doesn't know what he is talking about.
> More concerning than the detections is the observed behavior: - Random cmd.exe processes spawning periodically - Persistent background activity - BitLocker recovery triggered after offline virus scan - Suspicious network connections
Your own links disprove this. "No relevant DNS requests were made.", "No relevant hosts were contacted.", "No relevant HTTP requests were made."
> This goes beyond typical false-positive behavior seen with some Chinese development tools (which sometimes lack proper code signing or use aggressive system access).
No, it doesn't.
> Two possibilities: 1. Supply chain compromise - their dl.sipeed.com server is serving modified binaries 2. Aggressive false positive (seems less likely given the behavioral indicators)
One possibility: a regular false positive and a guy who doesn't know what he is talking about.
> If this is a supply chain attack
It isn't.
It is a Trojan false alarm, introduce by "pyinstaller" The software is opensource, feel free to review/compile it: https://github.com/sipeed/MetaSense-ComTool https://github.com/Neutree/COMTool/issues/40 https://github.com/pyinstaller/pyinstaller/issues/4852