This comes up from time to time, maybe we should add a prominent note somewhere (maybe even a locked sticky forum post). Last time seems to have been [this one](https://forum.nim-lang.org/t/10824).
Basically it boils down to false positives based on the AV vendors using silly metrics. All Nim programs will share a little bit of "DNA", and some people have written malware in Nim. This has probably been picked up, and without enough non-malware Nim programs in their fingerprinting routine AV vendors just flag all Nim programs. I believe Go had the exact same problem some years ago (but with Google backing it's probably a lot easier to get AV vendors to get their shit together).
