It seems strange to me that you just dismiss this as being “likely” a false detection without any prior verification. Shouldn’t you do investigations first and wait for the results of the investigation before jumping to a conclusion?
We would like to have more details about this whole hcaptcha process that you have introduced recently. Can you provide details about the business model of hcaptcha. Is it really meant to stop robots? Why not use google captcha instead then?
Moreover we would like to know if your js challenge uses third party content and how you scan that content for malicious software.
You might not be authorized to provide these details but at the very least I hope you will do some genuine internal checks and clean up whatever needs to be cleaned up. My advice as a webmaster : no source of income is worth ruining your reputation.