Microsoft Defender Report Trojan:Script/Wacatac.B!ml in file Get.ps1

[hdell]

Checklist

• I have searched for existing issues/discussions and didn't find any similar ones.
• I haven't used any other scripts, tools or programs that might have caused this issue.

Windows version

10.0.26100 Build 26100

Script mode/options

None -- Just performed a Download

Describe the issue

Microsoft Defender Reports the file C:\Users<removed>\Downloads\Win11Debloat-2025.06.11.zip->Win11Debloat-2025.06.11/Get.ps1 contains Trojan:Script/Wacatac.B!ml. So this is similar to Issue #248?

I found the link to download the file in the README.md file under the heading "Traditional method // Manually download & run the script."

Please note I am tangentially familiar with GitHub and don't know all about this -- noob. This is likely a false positive, however, I would like to hear what the community has to say. Of course we all know of various supply chain attacks.

Previously this last week I download the ZIP without an issue, however, I must have done this differently as the ZIP file was named Win11Debloat-master.zip.

Steps to reproduce

Just download the file /Raphire/Win11Debloat/archive/refs/tags/2025.06.11.zip (don't download as it may contain malware)

Error output

See DefenderReport.pdf

Additional context

DefenderReport.pdf

[Raphire]

Heya,

Thanks for reporting this. I think we're seeing this now because we recently moved to tagged releases. Because of this, after every release the script will download from a new url/file name (with new version nr), where before the url/filename was always the same. I can see how AV's would consider that suspicious, as they look at the url, filename, etc. to check whether a file is 'trusted'.