warning message from antivirus when I open Zotero about https://gh-proxy.com/

whybethee · 2025-07-31T18:56:38+00:00

My antivirus gives me the warning below when I open Zotero. What is the problem?

Infected web resource detected

Feature:
Online Threat Prevention

We blocked this dangerous page for your protection:
https://gh-proxy.com/
Accessed by: zotero.exe
Dangerous pages attempt to install software that can harm the device, gather personal information or operate without your consent.

Thank you

AbeJellinek · 2025-07-31T21:02:18+00:00

A Zotero plugin you installed is connecting to that domain, probably to check for updates.

whybethee · 2025-08-01T15:34:12+00:00

I cant figure out which plug in is doing it.
I checked my zotero folders.
Should I try turning off each plug in separately and seeing if the message repeats?
Could it be a plug in I never actually installed due to the warning message but it keeps trying to install?

AbeJellinek · 2025-08-01T15:48:07+00:00

Yeah, actually, it is possible that this is Zotero itself checking for updates at the URL that a plugin provided. I'm not positive, but that may occasionally happen even if the plugin is disabled.

You could try going into your Zotero profile directory, opening the subdirectory called "extensions," and moving each of the .xpi files into another directory, restarting Zotero each time, until the message disappears.

But I don't think there's anything inherently wrong with a plugin connecting to that domain. Some Zotero plugin developers are in China, where the code hosting service GitHub isn't directly accessible, so they use that proxy domain instead. If you figure out which plugin is responsible, you could try getting in touch with the developer and asking them if they could distribute a version for non-Chinese users that doesn't use gh-proxy.com.