That’s definitely a concerning message to see, so it’s good you’re looking into it instead of ignoring it.
In a lot of cases like this, the warning isn’t actually coming from Bitbucket itself but from a browser extension, antivirus, or external security scanner that’s flagging something based on patterns rather than real malicious behavior. Scripts, compiled assets, or even certain strings in code can sometimes trigger false positives.
I’d start by cloning the repo locally and running a trusted malware scan on it. If everything comes back clean, double-check whether the warning still appears in a different browser or with extensions disabled — that can help confirm whether the alert is external.
If you have CI/CD pipelines, webhooks, or other integrations pulling the repo automatically, it’s also worth checking any related tickets proxies or internal alerts tied to those systems, since those tools sometimes generate security messages that get mixed in with platform warnings.
If after all that things still don’t add up, reaching out to Atlassian support is probably the best next step. They can confirm whether Bitbucket has actually flagged the repository or if it’s just a third-party detection. Hopefully it turns out to be a false alarm.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.