Upgrade StoragePlugin Appears to Have a Trojan
FYI:
I recently installed Zotero. Late last week I was infected with a Trojan that installed a CryptoCurrency Miner. I suspected it had been installed via Zotero. So today I restored my 'Zotero folder' and sure enough after a scan there were numerous Trojans found in the acroread PDF plugin. I've quarantined all instances. This was on Linux too! This was a default install.
I recently installed Zotero. Late last week I was infected with a Trojan that installed a CryptoCurrency Miner. I suspected it had been installed via Zotero. So today I restored my 'Zotero folder' and sure enough after a scan there were numerous Trojans found in the acroread PDF plugin. I've quarantined all instances. This was on Linux too! This was a default install.
This is an old discussion that has not been active in a long time. Before commenting here, you should strongly consider starting a new discussion instead. If you think the content of this discussion is still relevant, you can link to it from your new discussion.
The most usual issue is typically that you've taken a webpage snapshot from a site that serves malware; this would be found in the storage directory. There's not much Zotero should be expected to do here. Because these are typically javascript-based miner, nothing would happen if the page isn't loaded in your browser & you may be able to remove the culprit files and still have a usable snapshot). Your quarantine may have shown whether this was/wasn't the case. You can also report and/or not visit sites that serve malware.
The second most usual issue is a false positive.
The third and least likely is that you downloaded a modified version of Zotero from an untrusted source.
/home/xxx/Zotero/storage/8PZLTV95/secureAnonymousFramework PUA.Win.Trojan.Xored-1
/home/xxx/Zotero/storage/AJQW7RDG/context_static_r_5640.js PUA.Win.Trojan.Xored-1
/home/xxx/Zotero/storage/TYFGUSIH/js_e9aef594554208d5ad1087102ba7af63.js PUA.Win.Tool.Packed-177
/home/xxx/Zotero/storage/C4KZJSP6/secureAnonymousFramework PUA.Win.Trojan.Xored-1
/home/xxx/Zotero/storage/QFSLCD7C/context_static_r_5698.js PUA.Win.Trojan.Xored-1
/home/xxx/Zotero/storage/QFSLCD7C/loader.js PUA.Win.Trojan.Xored-1
/home/xxx/Zotero/storage/EYTUUI4A/secureAnonymousFramework PUA.Win.Trojan.Xored-1
/home/xxx/Zotero/storage/VZJHKCR2/moatuac.js PUA.Win.Trojan.Xored-1
/home/xxx/Zotero/storage/AJQW7RDG/loader.js PUA.Win.Trojan.Xored-1
/home/xxx/Zotero/storage/7L9Z6UEB/secureAnonymousFramework PUA.Win.Trojan.Xored-1
/home/xxx/Zotero/storage/9V7YLYQD/secureAnonymousFramework PUA.Win.Trojan.Xored-1
/home/xxx/Zotero/storage/SDW2XLD4/moatcontent.js PUA.Win.Trojan.Xored-1
/home/xxx/Zotero/storage/F8VSQLUX/secureAnonymousFramework PUA.Win.Trojan.Xored-1
/home/xxx/Zotero/storage/V545Z3PG/context_static_r_5447.js PUA.Win.Trojan.Xored-1
/home/xxx/Zotero/storage/V545Z3PG/loader.js PUA.Win.Trojan.Xored-1
/home/xxx/Zotero/storage/6GEAND5W/moatcontent.js
PUA means "potential unwanted application". PUA are not virusses; they are flagged when your AV system finds a file or extension that have been proven to be abused by others. It is likely that many of those are not harmful. So: it may be some mix of the first two options I list (these aren't really false positives, as they're flagged "PUA", but it has the same effect if the enduser doesn't understand that).
In any case: I see nothing for Zotero to do better here.