@sentry/cli@1.73.0 contains MacOS_Hacktool_Twenbc Malware?

[glensc]

A new Malware was identified and quarantined

Infected Files: 2
Quarantine - Threat: MacOS_Hacktool_Twenbc - /Users/glen/.npm/sentry-cli/ee273a-sentry-cli-Darwin-universal
Quarantine - Threat: MacOS_Hacktool_Twenbc - /Users/glen/scm/kalasaba/node_modules/@sentry/cli/sentry-cli

• https://github.com/getsentry/sentry-cli/releases/tag/1.73.0

[glensc]

The install script downloads this binary:

• https://downloads.sentry-cdn.com/sentry-cli/1.74.3/sentry-cli-Darwin-universal

md5sum:

51157156ed6dc11dbdc1837f583dc7ed  sentry-cli-Darwin-universal

[kamilogorek]

What tool is identifying it as such?

[glensc]

I guess it's false positive then.

This is how much I got from our IT department:

Mosyles own database, macOS XProtect database and ClamAV database.

[glensc]

I tested with clamav and it didn't report it

$ docker run --rm -it -v `pwd`/clamav:/var/lib/clamav -v `pwd`/scandir:/scandir clamav/clamav clamscan /scandir
Loading:    20s, ETA:   0s [========================>]    8.64M/8.64M sigs
Compiling:   5s, ETA:   0s [========================>]       41/41 tasks

/scandir/sentry-cli-Darwin-universal: OK

----------- SCAN SUMMARY -----------
Known viruses: 8644373
Engine version: 0.105.1
Scanned directories: 1
Scanned files: 1
Infected files: 0
Data scanned: 44.30 MB
Data read: 20.82 MB (ratio 2.13:1)
Time: 28.934 sec (0 m 28 s)
Start Date: 2022:11:24 11:49:43
End Date:   2022:11:24 11:50:12

$ docker run --rm -it -v `pwd`/clamav:/var/lib/clamav -v `pwd`/scandir:/scandir clamav/clamav
Starting Freshclamd
Starting ClamAV
Socket for clamd not found yet, retrying (0/1800) ...ClamAV update process started at Thu Nov 24 11:50:46 2022
daily.cvd database is up-to-date (version: 26730, sigs: 2012424, f-level: 90, builder: raynman)
main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
bytecode.cvd database is up-to-date (version: 333, sigs: 92, f-level: 63, builder: awillia2)
Socket for clamd not found yet, retrying (6/1800) ...

[siyunlai]

We are getting this as well from Mosyle, and it started poping up recently. Could the anyone from Sentry confirm if this is false positive?

[kamilogorek]

We are not aware of any issues related to security. All checksums are available directly inside installed npm package as checksums.txt file inside root and/or inside our registry https://github.com/getsentry/sentry-release-registry/blob/master/apps/sentry-cli/1.74.3.json

@siyunlai what specific binary is it not happy about? Also can you give us some more details, or some logs about the report itself?

[siyunlai]

The checksum is correct. However, Mosyle quarantines the threat MacOS_Hacktool_Twenbc under .npm/sentry-cli/######-sentry-cli-Darwin-universal. It's the same log as what @glensc has shown above.

[davidstoker]

This popped up the other day on all of our engineers' MBPs.

Dropping this for reference since it's another Rust application this being detected in the same way: https://github.com/kbknapp/cargo-outdated/issues/335 Guessing it's detecting something in some dependency that may be shared?

I administrate Mosyle for our team so can give some info that could help -- their "Detection & Removal 2" endpoint security application is described this way in help content:

It was one of the first solutions in the market to adopt Apple’s new Endpoint Security Framework to constantly monitor a wide range of security events on macOS. Leveraging this framework, Detection and Removal 2 can perform deeper analysis and validations to immediately identify and neutralize new malware introduced on the device through diverse methods.

Mosyle’s AI-based behavioral analysis leverages a large combination of different characteristics and the context of where each was identified to achieve high precision in identifying potentially undesired files and applications and avoid false-positives. However, false positives can happen.

... leverage a special database of known malware and Potentially Unwanted Applications (PUA). This comprehensive database contains:

• The native macOS database used by XProtect and MRT leveraged programmatically and locally on each device (Mosyle doesn’t maintain or distribute copies of the macOS database of definitions);
• A wide list representing malwares and threats known by the security community, curated by Mosyle’s Security Research team and distributed by Mosyle;
  • A complete list of Mosyle’s proprietary definitions identified as part of Mosyle’s Security Research efforts specialized on macOS threats.

[kamilogorek]

I tested the most recent v1 and v2 with ClamAV which was mentioned in the issue linked above, and with the freshest db/signatures it's not reported.

…/Cellar/clamav/1.0.0 ❯ ./bin/freshclam                                                                                                                                                                  ClamAV update process started at Tue Dec  6 13:53:20 2022
daily database available for download (remote version: 26742)
Time:    2.4s, ETA:    0.0s [========================>]   57.55MiB/57.55MiB
Testing database: '/usr/local/var/lib/clamav/tmp.6c3c2cc7a8/clamav-ba6f89a4a83074b29aae3280a5e5c601.tmp-daily.cvd' ...
Database test passed.
daily.cvd updated (version: 26742, sigs: 2013568, f-level: 90, builder: raynman)
main database available for download (remote version: 62)
Time:    7.1s, ETA:    0.0s [========================>]  162.58MiB/162.58MiB
Testing database: '/usr/local/var/lib/clamav/tmp.6c3c2cc7a8/clamav-12445f304db62b79e8a9d79041d2be0f.tmp-main.cvd' ...
Database test passed.
main.cvd updated (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
bytecode database available for download (remote version: 333)
Time:    0.1s, ETA:    0.0s [========================>]  286.79KiB/286.79KiB
Testing database: '/usr/local/var/lib/clamav/tmp.6c3c2cc7a8/clamav-6e0a5397e10137894714ecf44680f8fa.tmp-bytecode.cvd' ...
Database test passed.
bytecode.cvd updated (version: 333, sigs: 92, f-level: 63, builder: awillia2)

…/Cellar/clamav/1.0.0 ❯ ./bin/clamscan ~/tmp/cli                                                                                                                                                         13:56:07
Loading:    16s, ETA:   0s [========================>]    8.65M/8.65M sigs
Compiling:   4s, ETA:   0s [========================>]       41/41 tasks

/Users/kamilogorek/tmp/cli/sentry-cli-Darwin-universal2: OK
/Users/kamilogorek/tmp/cli/sentry-cli-Darwin-universal1: OK

----------- SCAN SUMMARY -----------
Known viruses: 8645515
Engine version: 1.0.0
Scanned directories: 1
Scanned files: 2
Infected files: 0
Data scanned: 97.32 MB
Data read: 45.74 MB (ratio 2.13:1)
Time: 25.854 sec (0 m 25 s)
Start Date: 2022:12:06 13:56:08
End Date:   2022:12:06 13:56:34

~/tmp/cli ❯ ./sentry-cli-Darwin-universal1 --version                                                                                                                                                     
sentry-cli 1.74.6
~/tmp/cli ❯ ./sentry-cli-Darwin-universal2 --version                                                                                                                                                     
sentry-cli 2.10.0