This morning Microsoft defender detected the “durable-task.hpi” as a malicous trojan in the latest release but it is not alone
If the hpi file there is jar file there are some exe files whic are spawning our exes and being detected VirusTotal - File - cee66a6da48c7f9fc7daa917434918c63c50d9ebd7f3126088011ceaa0ff6d54
The “Reporting Security Vulnerabilities” page says:
We do not consider the following issues to be vulnerabilities in Jenkins (core + plugins):
- Claims of malware in Durable Task plugin or lib-durable-task unless substantiated (e.g., local builds from source are unaffected). Our best guess is that these tools consider the low-level process and signal handling and/or the bundling of native go binaries inside nested
jarfiles in these components to be suspicious behavior. Please report this false positive finding to your anti-malware vendor.