Ngrok falsely detected as malware (Cassiopeia 2025-05-22)
IntLoopback0
Posts: 5 Explorer
Hey Support,
This afternoon I installed ngrok v3.22.1 via Homebrew on macOS:
% brew install ngrok
==> Downloading https://formulae.brew.sh/api/formula.jws.json
==> Downloading https://formulae.brew.sh/api/cask.jws.json
==> Caveats
To install shell completions, add this to your profile:
if command -v ngrok &>/dev/null; then
eval "$(ngrok completion)"
fi
==> Downloading https://raw.githubusercontent.com/Homebrew/homebrew-cask/.../ngrok.rb
######################################################################## 100.0%
==> Downloading https://bin.equinox.io/a/kwPxkptNrPv/ngrok-v3-3.22.1-darwin-amd64.zip
Already downloaded: /Users/roble/Library/Caches/Homebrew/downloads/...--ngrok-v3-3.22.1-darwin-amd64.zip
==> Installing Cask ngrok
==> Purging files for version 3.22.1,kwPxkptNrPv,a of Cask ngrok
Error: Operation not permitted @ rb_sysopen - /private/tmp/homebrew-unpack-20250522-2132-fd20l9/ngrok
This same binary was running without issue this morning, but now F-Secure has quarantined/blocked it immediately after the Cassiopeia 2025-05-22_rp definitions (received at 17:48:12).
I’m confident this is a false positive:
- Binary source: Official ngrok download via Homebrew (
https://bin.equinox.io) - Signature: Valid code signature by “ngrok, Inc.”
- macOS version: 10.15.7
Request: Could someone from F-Secure Labs please review this definition update and whitelist ngrok again? I can provide SHA256 hashes or the quarantined sample if needed.
Thanks in advance!
Rob Lee