Trojan Skeeyah.H


Windows defender detects a Trojan in PhpStorm install folder, details below. Is this a false positive or is the installer compromised?



containerfile: C:\Program Files\JetBrains\PhpStorm\plugins\JavaScriptLanguage\lib\JavaScriptLanguage.jar

file: C:\ProgramFiles\JetBrains\PhpStorm\plugins\JavaScriptLanguage\lib\JavaScriptLanguage.jar->com/intellij/lang/javascript/inject/JsRegExpMatcherProvider.class


No similar reports in our support center or at our tracker. So this is a first one. Where did you get the file: from Any chance the installation got infected after it's been already installed?


I have the same problem. In my case I'm using Microsoft System Center Endpoint Protection. The trojan is detected in IntelliJ IDEA Ultimate 2017.3.


i downloaded the installer from and I'm pretty confident it was from the installer as Windows picked it up shortly after the install. Windows also located the same Trojan in Clion.


Windows defender just found Skeeyah.H in my WebStorm folder. I got my license and installer from jetbrains for being a full time student using my student email. I don't know what this is, but this Trojan has been detected again after I removed it once.


Please submit this issue at attaching screenshots/information about the issue for our devs to look into.


I am also having the same issue.


I ran into this same problem, couldn't see anyone had reported it on YouTrack, so did so here:


Windows Defender advanced scan also reported a Trojan in my IntelliJ installation.  I do an advanced scan every week so this is new.   

The report was of Win32/Skeeyah.H, but the location was in c:\Program Files\JetBrains\Intellij IDEA 2017.3\plugins\JavaScriptLang\lib\JavaScriptLanguage.jar.  The report says the problem is in file: C:\Program Files\JetBrains\IntelliJ IDEA 2017.3\plugins\JavaScriptLanguage\lib\JavaScriptLanguage.jar->com/intellij/lang/javascript/inject/JsRegExpMatcherProvider.class

Clearly this is a widespread issue.  

It would be good to find out whether this is a false positive or real.  I've left it quarantined for now, but Windows Defender is recommending "Remove threat now".


I checked my portable computer also running IntelliJ, ran NOD32 first, which didn't give a Trojan warning, but Windows Defender (advanced scan) did.  

Both copies of IntelliJ are 2017.3.4 build IU-173.4548.28.



Same issue.  Win10, install downloaded from intelliJ.


I just got the same message, using Windows 10 Pro and the latest Windows Defender definitions. Uploaded the file to VirusTotal, no detection there. I've put the file into quarantine for the time being.

C:\Program Files\JetBrains\IntelliJ IDEA 2017.3.3\plugins\JavaScriptLanguage\lib\JavaScriptLanguage.jar


Windows 10 Pro Defender just gave a warning:Trojan:Win32/Skeeyah.H

Affected items:
containerfile: C:\Program Files\JetBrains\WebStorm 2017.3.4\plugins\JavaScriptLanguage\lib\JavaScriptLanguage.jar
file: C:\Program Files\JetBrains\WebStorm 2017.3.4\plugins\JavaScriptLanguage\lib\JavaScriptLanguage.jar->com/intellij/lang/javascript/inject/JsRegExpMatcherProvider.class



I also got the same message:

file: C:\Program Files\JetBrains\IntelliJ IDEA 2017.3.4\plugins\JavaScriptLanguage\lib\JavaScriptLanguage.jar

file: C:\Program Files\JetBrains\IntelliJ IDEA 2017.3.4\plugins\JavaScriptLanguage\lib\JavaScriptLanguage.jar->com/intellij/lang/javascript/inject/JsRegExpMatcherProvider.class


Hello everynyan! 

Glad (?) to know I'm not the only one having this issue. Left my comp to scan overnight and came up with this.


Same here. Can you guys give us any update, please?


Hi Yigit, a JetBrains employee commented on the YouTrack issue yesterday:


OK, according to Vladimir Orlov's check-up and conclusions this is a false alarm or hoax by Windows Defender.

It would still be interesting to know what was removed during the file clean-up by the Defender. If some code was truely removed from the, is my IDE now missing something? Should the 'infected file' be reinstalled to avoid future errors?


According to information in the issue, the affected file is JavaScriptLanguage.jar.
If it's still there in your installation - don't bother, it's not likely that Defender corrupts files.


Has JetBrains gotten Microsoft to take the file off the threat list for future scans?

Has JetBrains modified the file so as not to trigger a warning by Microsoft?

And what are we supposed to do? 

1. Nothing (to leave the file in Quarantine)

2.  Click Restore

3.  Click Remove

JetBrains should be providing specific guidance.



I restored the file from the Windows Defender quarantine today, and let it scan the IntelliJ directory, no threats found. I guess Microsoft updated the antivirus definitions.