Phishing detected in Windows and malicious .js on linux

Description of the issue: I was at my friends place, and convinced him to switch to brave from chrome. When he was importing his passwords he got notification from Bitdefender, saying that phishing by brave.exe was blocked. I ran ClamTK on my linux laptops home folder with updated signatures and it spotted something malicious in the extensions folder. Or is this a big false positive?
How can this issue be reproduced?

  1. Launch brave, with Bitdefender web protection running in backround.
  2. Do anything on password manager page for a moment.

Expected result: Blocked phishing page notification by Bitdefender

Brave Version: 1.65.133

Additional Information: Personal laptop is running on Q4OS (debian 12 based), friends PC is windows 10.

@KALAMO just out of curiosity, is this on a fresh install with nothing added or had extensions been added to the browser for both of you? Obviously, if added extensions, I’d ask if perhaps you both use the same extension(s).

Just to expands on my earlier question. Looking at what you show in this screenshot, it says ghmbeldphafepmbegfdlkpapadhbakde is the extension highlighted and is being marked as a trojan. Taking that and going to AI, such as Google’s Gemini says the following:

Based on my search results, the string “ghmbeldphafepmbegfdlkpapadhbakde” appears to be an identifier associated with the Proton Pass Chrome extension. It’s not a human-readable name but rather a unique code used internally.

So I guess, are you guys using Proton Pass?

Yes im using ProtonPass and uBlock origin. My friend is using StudyBuddy and also uBlock origin.

Okay, so that’s what is getting detected. So now the question is whether it’s a false positive being triggered by the idea of Proton Pass storing and using your information, or whether you might have a fake version of Proton Pass or a version that came with a trojan.

But whates triggering the Bitdefender on my friends machine?

Well, you don’t have it showing anything. It’s possible and even probable that it’s flagging what you two share in common and was being flagged on your machine. You’d have to look for what it’s showing as origins or do deeper scans. The only thing we can see on your screenshot of Bitdefender is that it’s trying to call out to https://zjmfizpvjane.videosfk.repl.co

What I can tell you is repl.co can be learned more about at https://www.malwarebytes.com/blog/detections/repl-co and the official website for the company that operates everything is https://replit.com/. Thing is, they deprecated repl.co and switched to things like repl.dev instead, so it makes it seem whatever was being used/tested is from last year. The problem with Replit is anyone can use it and there’s no telling if it would be legitimate or not without digging into your device a bit deeper.

The things you’re sharing are vary vague and all that can be done is to run in-depth checks for viruses, malware, etc. What we do know is based on what you’re saying, Brave isn’t necessarily the origin of the problem but something is trying to perhaps call out using Brave. It should do the same regardless of whatever browser you’re using, though likely might stay in a particular browser if it’s an extension doing it.

All of that said, not enough information to give you any affirmative answer as to whether you’re seeing false positives or what’s happening.