React-Three_drei.js flags as malware only on Avast Antivirus

[JamesMasino]

• three version: 0.164.1
• @react-three/fiber version: 8.16.8
• @react-three/drei version: 9.107.0
• node version: 20.12.2
• npm (or yarn) version: 10.6.0

Problem description:

The dependency @react-three_drei.js is false flagged as a Trojan Horse virus by Avast, specifically a "JS:Prontexi-Z [Trj]" threat. I'm unsure what part of the library is being flagged.

Relevant code:

Part of the problem is that I can't track down which snippet of drei is flagging Avast's database. So I'm unable to provide relevant code.

Suggested solution:

If someone who would know how to identify what JS:Prontexi-Z is and find it within @react-three_drei, either it could be removed or updated to not be automatically flagged as a Trojan Horse virus.

Obviously this is only a problem with Avast, maybe a representative of Poimandres could reach out to Avast to get them to update their own database.

[JamesMasino]

Here's a screenshot, this is an automatic backup being flagged (this is why the file name has a date in it)

[futuritech]

Confirmed here too , with "@react-three/drei": "^9.117.3".

[RafaMol]

Hi. I also get the same ERROR. It is with the DREI and LEVA libraries in Three.js. Do you know if this library can harm my PC? Thanks

[mh0223]

Same Here... Is it ok to continue using @react-three/drei ..?

[DennisSmolek]

Looking through Avast's write up on it they give little to no details.

It looks like It's common to false flag libraries too which makes it hard to chase down.

Are you using and PDF software or you site?

Can you try any of the sandbox pages of this repo and see if they fire? If they don't, it's probably something else in your project getting dinged.

[futuritech]

in my case online Sandboxes work well

i think is only relative to the compiled version of drei
done at least by vitejs after npm run dev.
(in my case im on a vitejs context version ^5.4.11)

if i import drei in my App like

import { DreiModuleExample  } from '@react-three/drei'
export default function App() {
  return (
    <Canvas>
      <DreiModuleExample  />
      {/* remaining app code */}
    </Canvas>
  )
}

a file @react-threee_drei_DATE_.js is generated and
this is this file that avast block and move to quarantine (resulting in a 404 on browser experience)

[DennisSmolek]

in my case online Sandboxes work well

can you provide a link to one?

[futuritech]

i meant that online drei codesandboxes work

the problem is instead with local developpemet on vitesjs/react fiber/drei combo,
at least on windows 11 environnement, after npm run dev

Pseudo-process to reproduce

1. npm create vite@latest
2. cd my-threejs-app
3. npm install three @react-three/fiber @react-three/drei
4. edit main.jsx

import React from "react";
import { Canvas } from "@react-three/fiber";
import { OrbitControls, Box } from "@react-three/drei";

function App() {
  return (
    <Canvas>
      {/* Camera Controls */}
      <OrbitControls />

      {/* Lights */}
      <ambientLight intensity={0.5} />
      <pointLight position={[10, 10, 10]} />

      {/* Objects */}
      <Box>
        <meshStandardMaterial attach="material" color="orange" />
      </Box>
    </Canvas>
  );
}

export default App;

5. npm run dev
6. o + enter (open in browser)

=> RESULT : AVAST BLOCK AND REMOVE \node_modules\.vite\deps\@react-three_drei.js (with a Prontexy-Z warning like below)
=> OR
you can restore \node_modules\.vite\deps\@react-three_drei.js from quarantine , zip it, and upload to virustotal.com to see that avast flag this file as malicious

[DennisSmolek]

i meant that online drei codesandboxes work

the problem is instead with local developpemet on vitesjs/react fiber/drei combo, at least on windows 11 environnement, after npm run dev

So I’m unable to reproduce this at all on the same environment.

I believe you, I just can’t make it happen nor have any documentation or clue as to what is triggering it. They have no detailed explanation nor outline to what triggers it.

can you share that generated file? I’ll compare it against what my local and all the sandboxes build

[tomcatbuzz]

I have recently had the same Avast pop up just this month February 2025, when I have had react-three/drei installed many other times in projects. I have malwarebytes installed and ran a scan on the node_module folder in question and it reports it is not infected. I have other tools on my pc and have had no other indications that there are infections. Just my opinions on my machine. I reported it as a false positive. Avast may be seeing some pattern in a file that is similar to the trojan it is flagging. I am using "@react-three/drei": "^9.122.0",

[adamistheanswer]

Flagging AVG too

"@react-three/drei": "^10.0.3",

[hatem782]

is there any solution for it ? or is there an old version that works well ?

[hatem782]

i used a recent version of "@react-three/drei" (9.117.3) it is working fine,
here is the complete line :
"@react-three/drei": "^9.117.3",
just uninstall the new version with npm uninstall @react-three/drei then add the old version "@react-three/drei": "^9.117.3", and install it with npm i, if didn't work install it using npm i --f

[Siongyu]

i used a recent version of "@react-three/drei" (9.117.3) it is working fine, here is the complete line : "@react-three/drei": "^9.117.3", just uninstall the new version with npm uninstall @react-three/drei then add the old version "@react-three/drei": "^9.117.3", and install it with npm i, if didn't work install it using npm i --f

did you still face any issues with the antivirus when you are using this version instead? @hatem782

[hatem782]

i used a recent version of "@react-three/drei" (9.117.3) it is working fine, here is the complete line : "@react-three/drei": "^9.117.3", just uninstall the new version with npm uninstall @react-three/drei then add the old version "@react-three/drei": "^9.117.3", and install it with npm i, if didn't work install it using npm i --f

did you still face any issues with the antivirus when you are using this version instead? @hatem782

no, it was all fine

[Loque18]

same form e using version 10.0.4

[Siongyu]

Hello, is anyone able to validate so far? My security team is using norton antivirus and it is flagging the same issue as well