It looks like in the latest #nvdasr alphas, it's now sending all of your addons to be scanned by VirusTotal.

Reply to It looks like in the latest #nvdasr alphas, it's now sending all of your addons to be scanned by VirusTotal. on Tue, 19 May 2026 22:50:21 GMT

serrebi@serrebiradio.com — Tue, 19 May 2026 22:50:21 GMT

@jaybird110127 @fastfinge Yep it is. Should have been optional on our systems.

Reply to It looks like in the latest #nvdasr alphas, it's now sending all of your addons to be scanned by VirusTotal. on Tue, 19 May 2026 16:24:38 GMT

fastfinge@fed.interfree.ca — Tue, 19 May 2026 16:24:38 GMT

The blindness community is also quite interconnected. If we wanted to, a "web of trust" would be more possible for us than other communities. We regularly gather at conventions (NFB, ACB, Sight Village, Zero Project, etc.) so with accessible, easy to use and understand tools, keysigning parties could easily happen. We've already moved to the #Fediverse because it's more accessible, and obviously better for our needs. Let's keep thinking differently about centralization and privacy; we might discover there are other methods that will work better for us and our needs, without restricting our rights, privacy, or functionality.

Reply to It looks like in the latest #nvdasr alphas, it's now sending all of your addons to be scanned by VirusTotal. on Tue, 19 May 2026 16:19:31 GMT

fastfinge@fed.interfree.ca — Tue, 19 May 2026 16:19:31 GMT

An actual security solution:
* allow user reviews of addons
* allow users to report addons
* remove addons from the store after X number of reports
* have a reputation system for addon developers (How many addons? How many versions? How long have they been around?)
* allow high reputation developers to do code reviews of other addons and submit the results

This would help for addons in the store. For addons not in the store, users are on their own. However, even for non-store addons, NVDA could do things that would reduce risk:
* Check PGP keys. An addon that claims it was by fastfinge but isn't signed by my PGP key won't run. Public keyservers already exist; NVDA doesn't need to build infrastructure, or in any way gatekeep or endorse developers to do this.
* reserve addon names: fastfinge is the known developer of unspoken-ng. So flag a big warning before running a version of unspoken-ng developed by BobTheBad man. And don't run a version of unspoken-ng not signed by fastfinge's known PGP key at all.

There are ways to let users understand if an addon can be trusted, or how much, and who made it, without centralizing on the store, pointlessly scanning with VirusTotal, etc. NVDA addon security based on restricting functionality is never going to work. So instead, we need to create the tools to build trust models of developers, and know exactly who wrote and signed off on the code we're running.

Reply to It looks like in the latest #nvdasr alphas, it's now sending all of your addons to be scanned by VirusTotal. on Tue, 19 May 2026 16:09:12 GMT

fastfinge@fed.interfree.ca — Tue, 19 May 2026 16:09:12 GMT

@MostlyBlindGamer Yeah, but I know you've deceived me, Now here's a surprise. I know that you have, 'Cause there's magic in my eyes. I can see for miles and miles, And miles and miles...

Reply to It looks like in the latest #nvdasr alphas, it's now sending all of your addons to be scanned by VirusTotal. on Tue, 19 May 2026 15:58:53 GMT

mostlyblindgamer@dragonscave.space — Tue, 19 May 2026 15:58:53 GMT

@fastfinge it’s about the [puts on sunglasses] optics.
[The Who blares in the background]

Reply to It looks like in the latest #nvdasr alphas, it's now sending all of your addons to be scanned by VirusTotal. on Tue, 19 May 2026 15:49:16 GMT

jscholes@dragonscave.space — Tue, 19 May 2026 15:49:16 GMT

@alexhall It was mentioned in the What's New document, so it probably isn't an accident. @fastfinge

Reply to It looks like in the latest #nvdasr alphas, it's now sending all of your addons to be scanned by VirusTotal. on Tue, 19 May 2026 15:45:04 GMT

fastfinge@fed.interfree.ca — Tue, 19 May 2026 15:45:04 GMT

@MostlyBlindGamer I don't even know why they're doing this. If you don't have a virus scanner enabled on your computer, this will not save you. Any addon can just download remote code whenever it wants to. That is, in fact, how most addon update checkers work. So even if you audit the results, it's completely meaningless unless you also audit all the code. The only thing this does is give users a false sense of security.

Reply to It looks like in the latest #nvdasr alphas, it's now sending all of your addons to be scanned by VirusTotal. on Tue, 19 May 2026 15:41:57 GMT

fastfinge@fed.interfree.ca — Tue, 19 May 2026 15:41:57 GMT

@MostlyBlindGamer It looks like it gets put there when it's uploaded to the store. But I develop addons that aren't distributed via the store, because of silly NVDA rules. So I can just put whatever I want there. And I haven't actually tested to see what happens if I upload an addon to the store with the virustotal keys already included.

Reply to It looks like in the latest #nvdasr alphas, it's now sending all of your addons to be scanned by VirusTotal. on Tue, 19 May 2026 15:39:37 GMT

mostlyblindgamer@dragonscave.space — Tue, 19 May 2026 15:39:37 GMT

@fastfinge who puts it in there?
If it’s the developer, I’d check server-side, before making it available in the store. I don’t have a problem with sharing the URL with the client for transparency and auditing.
If NVDA do the check, that would only be server-side.
There’s no reason to have all the clients hammering VirusTotal servers.
I’d run a packet sniffer and navigate through the store to confirm the possibility that they’re doing something very silly.

Reply to It looks like in the latest #nvdasr alphas, it's now sending all of your addons to be scanned by VirusTotal. on Tue, 19 May 2026 15:30:48 GMT

fastfinge@fed.interfree.ca — Tue, 19 May 2026 15:30:48 GMT

@MostlyBlindGamer I did. It could have been unrelated; there's a lot of stuff going on this network. But what would be the point of just including the URL to the results? I can just put anything I want in the manifest and say it passes. For it to mean anything, NVDA has to reach out and check. So this is either a privacy violation, or total security theatre. Not good either way.

Reply to It looks like in the latest #nvdasr alphas, it's now sending all of your addons to be scanned by VirusTotal. on Tue, 19 May 2026 15:30:40 GMT

tspivey@dragonscave.space — Tue, 19 May 2026 15:30:40 GMT

@fastfinge You're most likely hitting this issue that was fixed: https://github.com/nvaccess/nvda/issues/19984
Reading that and the linked PRs, you might need to delete the .json file for some addons for that error to go away.

Reply to It looks like in the latest #nvdasr alphas, it's now sending all of your addons to be scanned by VirusTotal. on Tue, 19 May 2026 15:20:14 GMT

mostlyblindgamer@dragonscave.space — Tue, 19 May 2026 15:20:14 GMT

@fastfinge

The add-on data model:

nvda/source/addonStore/models/addon.py at master · nvaccess/nvda

NVDA, the free and open source Screen Reader for Microsoft Windows - nvda/source/addonStore/models/addon.py at master · nvaccess/nvda

GitHub (github.com)

The scan results model where the URL comes up:

nvda/source/addonStore/models/scanResults.py at master · nvaccess/nvda

NVDA, the free and open source Screen Reader for Microsoft Windows - nvda/source/addonStore/models/scanResults.py at master · nvaccess/nvda

GitHub (github.com)

Reply to It looks like in the latest #nvdasr alphas, it's now sending all of your addons to be scanned by VirusTotal. on Tue, 19 May 2026 15:18:16 GMT

saschacowley@beige.party — Tue, 19 May 2026 15:18:16 GMT

@fastfinge @pixelate Uh, that is weird and bad. HAVE you considered filing a ticket?

Reply to It looks like in the latest #nvdasr alphas, it's now sending all of your addons to be scanned by VirusTotal. on Tue, 19 May 2026 15:17:38 GMT

mostlyblindgamer@dragonscave.space — Tue, 19 May 2026 15:17:38 GMT

@fastfinge clarifying my last question: in your firewall logs, because this is not communication with that domain.

Reply to It looks like in the latest #nvdasr alphas, it's now sending all of your addons to be scanned by VirusTotal. on Tue, 19 May 2026 15:16:27 GMT

mostlyblindgamer@dragonscave.space — Tue, 19 May 2026 15:16:27 GMT

@fastfinge well, I figure I’d end up cloning the repo at some point.

The scan results object (including URL) is part of the add-on view model. Without forcing myself to read more Python, but also having noticed that object is deserialized from JSON, it seems most likely that the store server sends the client the fully auditable virus scan results.

Did you find any communication to VirusTotal in your logs?

Reply to It looks like in the latest #nvdasr alphas, it's now sending all of your addons to be scanned by VirusTotal. on Tue, 19 May 2026 15:13:17 GMT

jonathan859@someplace.social — Tue, 19 May 2026 15:13:17 GMT

@fastfinge If that’s the security they’re talking about implementing for corporate environments, that’s definitely going to backfire.

Reply to It looks like in the latest #nvdasr alphas, it's now sending all of your addons to be scanned by VirusTotal. on Tue, 19 May 2026 15:01:58 GMT

tspivey@dragonscave.space — Tue, 19 May 2026 15:01:58 GMT

@fastfinge As far as I know, the store does this when someone submits an addon, not NVDA.

Reply to It looks like in the latest #nvdasr alphas, it's now sending all of your addons to be scanned by VirusTotal. on Tue, 19 May 2026 14:59:00 GMT

fastfinge@fed.interfree.ca — Tue, 19 May 2026 14:59:00 GMT

@saschacowley @pixelate Then why is my machine reaching out to that virustotal URL that showed up in the log snip and timing out?

Reply to It looks like in the latest #nvdasr alphas, it's now sending all of your addons to be scanned by VirusTotal. on Tue, 19 May 2026 14:57:54 GMT

saschacowley@beige.party — Tue, 19 May 2026 14:57:54 GMT

@fastfinge @pixelate This only applies to Add-on Store add-ons, and it is done as part of the GitHub Actions workflows that run on nvaccess/addon-datastore. Unless you *choose* to visit the VirusTotal URL, your machine is entirely unaffected

Reply to It looks like in the latest #nvdasr alphas, it's now sending all of your addons to be scanned by VirusTotal. on Tue, 19 May 2026 14:56:25 GMT

alexhall@mastodon.social — Tue, 19 May 2026 14:56:25 GMT

@fastfinge I really hope that's a temporary thing they forgot to take out or something. The intent of keeping users safe is nice, but I feel like uploading things I chose to download to a random virus checker that I didn't approve or ask for is a really bad move.