Comment by KomoD

> More concerning than the detections is the observed behavior: - Random cmd.exe processes spawning periodically - Persistent background activity - BitLocker recovery triggered after offline virus scan - Suspicious network connections

Your own links disprove this. "No relevant DNS requests were made.", "No relevant hosts were contacted.", "No relevant HTTP requests were made."

> This goes beyond typical false-positive behavior seen with some Chinese development tools (which sometimes lack proper code signing or use aggressive system access).

No, it doesn't.

> Two possibilities: 1. Supply chain compromise - their dl.sipeed.com server is serving modified binaries 2. Aggressive false positive (seems less likely given the behavioral indicators)

One possibility: a regular false positive and a guy who doesn't know what he is talking about.

> If this is a supply chain attack

It isn't.