Plugin Appears to Have a Trojan
FYI:
I recently installed Zotero. Late last week I was infected with a Trojan that installed a CryptoCurrency Miner. I suspected it had been installed via Zotero. So today I restored my 'Zotero folder' and sure enough after a scan there were numerous Trojans found in the acroread PDF plugin. I've quarantined all instances. This was on Linux too! This was a default install.
I recently installed Zotero. Late last week I was infected with a Trojan that installed a CryptoCurrency Miner. I suspected it had been installed via Zotero. So today I restored my 'Zotero folder' and sure enough after a scan there were numerous Trojans found in the acroread PDF plugin. I've quarantined all instances. This was on Linux too! This was a default install.
The most usual issue is typically that you've taken a webpage snapshot from a site that serves malware; this would be found in the storage directory. There's not much Zotero should be expected to do here. Because these are typically javascript-based miner, nothing would happen if the page isn't loaded in your browser & you may be able to remove the culprit files and still have a usable snapshot). Your quarantine may have shown whether this was/wasn't the case. You can also report and/or not visit sites that serve malware.
The second most usual issue is a false positive.
The third and least likely is that you downloaded a modified version of Zotero from an untrusted source.
/home/xxx/Zotero/storage/8PZLTV95/secureAnonymousFramework PUA.Win.Trojan.Xored-1
/home/xxx/Zotero/storage/AJQW7RDG/context_static_r_5640.js PUA.Win.Trojan.Xored-1
/home/xxx/Zotero/storage/TYFGUSIH/js_e9aef594554208d5ad1087102ba7af63.js PUA.Win.Tool.Packed-177
/home/xxx/Zotero/storage/C4KZJSP6/secureAnonymousFramework PUA.Win.Trojan.Xored-1
/home/xxx/Zotero/storage/QFSLCD7C/context_static_r_5698.js PUA.Win.Trojan.Xored-1
/home/xxx/Zotero/storage/QFSLCD7C/loader.js PUA.Win.Trojan.Xored-1
/home/xxx/Zotero/storage/EYTUUI4A/secureAnonymousFramework PUA.Win.Trojan.Xored-1
/home/xxx/Zotero/storage/VZJHKCR2/moatuac.js PUA.Win.Trojan.Xored-1
/home/xxx/Zotero/storage/AJQW7RDG/loader.js PUA.Win.Trojan.Xored-1
/home/xxx/Zotero/storage/7L9Z6UEB/secureAnonymousFramework PUA.Win.Trojan.Xored-1
/home/xxx/Zotero/storage/9V7YLYQD/secureAnonymousFramework PUA.Win.Trojan.Xored-1
/home/xxx/Zotero/storage/SDW2XLD4/moatcontent.js PUA.Win.Trojan.Xored-1
/home/xxx/Zotero/storage/F8VSQLUX/secureAnonymousFramework PUA.Win.Trojan.Xored-1
/home/xxx/Zotero/storage/V545Z3PG/context_static_r_5447.js PUA.Win.Trojan.Xored-1
/home/xxx/Zotero/storage/V545Z3PG/loader.js PUA.Win.Trojan.Xored-1
/home/xxx/Zotero/storage/6GEAND5W/moatcontent.js
PUA means "potential unwanted application". PUA are not virusses; they are flagged when your AV system finds a file or extension that have been proven to be abused by others. It is likely that many of those are not harmful. So: it may be some mix of the first two options I list (these aren't really false positives, as they're flagged "PUA", but it has the same effect if the enduser doesn't understand that).
In any case: I see nothing for Zotero to do better here.