Incident Report: False Malware Detection

November 28, 2022

Summary

We’re receiving reports that GoDaddy has identified one of LayerSlider’s plugin files as malware. This is a false detection since LayerSlider does not and has never contained any malware or viruses. We’re still waiting for an official response, but some reports suggest that GoDaddy might have already realized the mistake on their part. In the meantime, we’ve released a new update to mitigate this and future issues on our side as well. This issue might have also affected other hosting providers; thus, updating to LayerSlider 7.6.1 is strongly recommended for anyone. At the moment, we believe only LayerSlider 7.6.0 users were affected.

About The Incident

After releasing LayerSlider 7.6.0, GoDaddy started to notify their customers that their sites contain viruses or content that violates GoDaddy’s Universal Terms of Service, which might involve account suspension. They didn’t provide specifics other than mentioning one of LayerSlider’s plugin files: layerslider.kreaturamedia.jquery.js. As noted above, LayerSlider does not contain any malware or viruses, and this is a false detection. We’ve reached out to GoDaddy, but they have yet to react at the time of writing.

GoDaddy’s security scans are powered by Sucuri. We didn’t receive complaints from other sources, but more hosting companies and security solutions relying on Sucuri might also be affected.

Reports suggest that GoDaddy might have already realized the mistake on their part. However, they appear to have mixed messaging. Some customers’ sites are working correctly without any issues, and GoDaddy allegedly said the issue was resolved. At the same time, GoDaddy deleted the falsely flagged file in other cases, resulting in broken websites.

What We Did

We believe the issue is related to how we compress our JavaScript files. Our prior technique is nothing unusual, and we’ve never experienced any problems with it. While it was beneficial to reduce file sizes significantly and optimize for delivery, it also made the codebase somewhat obscure that security solutions might misinterpret.

From now on, we’re using another method for minification to avoid similar cases. We’ve used our previous method for a reason, and sadly, the new one is less efficient than the previous one. However, modern web browsers and servers support gzipped content delivery, so this change shouldn’t negatively affect site performance.

What Should You Do

If you’re affected, we urge you to update to LayerSlider 7.6.1. Reaching out to GoDaddy that this is a false detection is also recommended. If you didn’t receive a notification or report, you likely don’t have to do anything, but updating LayerSlider is still recommended.

We’re always taking security very seriously, and we appreciate your understanding in this matter.

Sincerely,
Kreatura Team

Back To Blog