I downloaded their official COMTools utility (serial communication tool for device configuration) directly from their distribution server at dl.sipeed.com - the link provided in their official documentation.
Multiple security scanners are flagging it as trojan malware:
VirusTotal: https://www.virustotal.com/gui/file/66b9b83687f4579e0de629eb63b9d41ef0c3cc2e4f03546d0fe6374de76c69f8/detection
Hybrid Analysis: https://hybrid-analysis.com/sample/66b9b83687f4579e0de629eb63b9d41ef0c3cc2e4f03546d0fe6374de76c69f8/690e6b0ff38090310e09c79d
More concerning than the detections is the observed behavior: - Random cmd.exe processes spawning periodically - Persistent background activity - BitLocker recovery triggered after offline virus scan - Suspicious network connections
This goes beyond typical false-positive behavior seen with some Chinese development tools (which sometimes lack proper code signing or use aggressive system access).
Two possibilities: 1. Supply chain compromise - their dl.sipeed.com server is serving modified binaries 2. Aggressive false positive (seems less likely given the behavioral indicators)
I'm currently comparing SHA256 hashes between the website version and their GitHub releases to determine if there's a discrepancy.
If this is a supply chain attack, it could affect a significant portion of the embedded systems development community, particularly those working with AI edge devices and RISC-V systems.
I've reported to Sipeed, Microsoft Security, and various security researchers. Has anyone else in the HN community used Sipeed products and can verify their COMTools installation?
SHA256 of flagged file: 66b9b83687f4579e0de629eb63b9d41ef0c3cc2e4f03546d0fe6374de76c69f8 Official (potentially compromised) source: https://dl.sipeed.com/shareURL/MaixSense/MaixSense_A010/software_pack/comtool
zepan•2mo ago