Supply Chain Alert: Sipeed's Official Comtools Software Flagged as Trojan
Key topics
I downloaded their official COMTools utility (serial communication tool for device configuration) directly from their distribution server at dl.sipeed.com - the link provided in their official documentation.
Multiple security scanners are flagging it as trojan malware:
VirusTotal: https://www.virustotal.com/gui/file/66b9b83687f4579e0de629eb63b9d41ef0c3cc2e4f03546d0fe6374de76c69f8/detection
Hybrid Analysis: https://hybrid-analysis.com/sample/66b9b83687f4579e0de629eb63b9d41ef0c3cc2e4f03546d0fe6374de76c69f8/690e6b0ff38090310e09c79d
More concerning than the detections is the observed behavior: - Random cmd.exe processes spawning periodically - Persistent background activity - BitLocker recovery triggered after offline virus scan - Suspicious network connections
This goes beyond typical false-positive behavior seen with some Chinese development tools (which sometimes lack proper code signing or use aggressive system access).
Two possibilities: 1. Supply chain compromise - their dl.sipeed.com server is serving modified binaries 2. Aggressive false positive (seems less likely given the behavioral indicators)
I'm currently comparing SHA256 hashes between the website version and their GitHub releases to determine if there's a discrepancy.
If this is a supply chain attack, it could affect a significant portion of the embedded systems development community, particularly those working with AI edge devices and RISC-V systems.
I've reported to Sipeed, Microsoft Security, and various security researchers. Has anyone else in the HN community used Sipeed products and can verify their COMTools installation?
SHA256 of flagged file: 66b9b83687f4579e0de629eb63b9d41ef0c3cc2e4f03546d0fe6374de76c69f8 Official (potentially compromised) source: https://dl.sipeed.com/shareURL/MaixSense/MaixSense_A010/software_pack/comtool
A user reports that Sipeed's official COMTools software is flagged as a Trojan by multiple security scanners, sparking debate about whether it's a false positive or a genuine supply chain compromise.
Snapshot generated from the HN discussion
Discussion Activity
Light discussionFirst comment
6h
Peak period
1
4-6h
Avg / period
1
Key moments
- 01Story posted
Nov 10, 2025 at 3:34 PM EST
about 2 months ago
Step 01 - 02First comment
Nov 10, 2025 at 9:27 PM EST
6h after posting
Step 02 - 03Peak activity
1 comments in 4-6h
Hottest window of the conversation
Step 03 - 04Latest activity
Nov 11, 2025 at 2:06 PM EST
about 2 months ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
Your own links disprove this. "No relevant DNS requests were made.", "No relevant hosts were contacted.", "No relevant HTTP requests were made."
> This goes beyond typical false-positive behavior seen with some Chinese development tools (which sometimes lack proper code signing or use aggressive system access).
No, it doesn't.
> Two possibilities: 1. Supply chain compromise - their dl.sipeed.com server is serving modified binaries 2. Aggressive false positive (seems less likely given the behavioral indicators)
One possibility: a regular false positive and a guy who doesn't know what he is talking about.
> If this is a supply chain attack
It isn't.