forge icon indicating copy to clipboard operation
forge copied to clipboard

Published 20 hours ago verified publisher icon digitalbazaar

Why is a Shockwave Flash SWF file included and then triggering macOS ransomewhere alerts?

Open OKNoah opened this issue 3 years ago • 7 comments

Screen Shot 2021-01-14 at 4 58 21 PM

This is after doing npx expo install.

OKNoah avatar Jan 15 '21 03:01 OKNoah

I'm not sure what that warning image is even saying. Is it saying node locked those files? What does that mean in this case? Just a regular file lock or is this tool saying it's doing something evil? Does that even have anything to do with the files that are being locked like the swf?

That old flash support was there to do raw socket connections in a browser. Now that flash has fallen out of favor, it's not of much use anymore.

Assuming the swf file hasn't been modified, it should be safe. The 4+ year old code and prebuilt swf are available in the flash/ dir. You could rebuild it yourself if the toolchain still works.

You might want to contact your scanner vendor and ask them why this is happening.

davidlehn avatar Jan 15 '21 04:01 davidlehn

I assumed this was macOS, but maybe ReiKey or Clamxav

OKNoah avatar Jan 16 '21 09:01 OKNoah

Any update? Adobe has sunset Flash for security risk. Any reason why this module still exists/needed? https://www.adobe.com/products/flashplayer/end-of-life.html .."After the EOL Date, Adobe will not issue Flash Player updates or security patches. Adobe strongly recommends immediately uninstalling Flash Player. To help secure your system, Adobe blocked Flash content from running in Flash Player beginning January 12, 2021. Major browser vendors have disabled and will continue to disable Flash Player from running."

mehboob-alam81 avatar Jul 27 '22 21:07 mehboob-alam81

+1 detected SocketPool.swf as a Trojan

SMBurrows avatar Aug 30 '22 13:08 SMBurrows

+1 detected SocketPool.swf as a Trojan

mohiteng avatar Dec 14 '22 09:12 mohiteng

@davidlehn would you be open if I create a PR and drop the support of this entirely? I think many enterprise security monitoring tools generally flag these. I'd rather not to fork and maintain this as node-forge is used by popular tools like webpack server.

yeukhon avatar Jan 25 '23 15:01 yeukhon

There is no trojan or malicious code here at all. It's a shame that security scanner tools are buggy and think there are issues. That being said, I suppose it is time to drop the flash bits. Hard to tell if anyone still uses the flash support. I assume very few projects, if any, still do. I think the way to update is to leave the flash files in the source repo, stop shipping in the npm package, update docs and so on explaining the issue, and release a major update.

davidlehn avatar Jan 27 '23 20:01 davidlehn