Should OP invoke ngrok?

REBELinBLUE
REBELinBLUE
Community Member
edited May 20 in CLI

Sorry this may sound weird

I have CLI 2.24.0 installed.

Today on my machine Crowdstrike blocked a process and quarantined it

Looking into it it was a version of ngrok, which I have installed via homebrew.

Description: This file is classified as Adware/PUP based on its SHA256 hash.
Customer ID: XXXXXX
Host name: XXXXXX
File name: ngrok
File path: /opt/homebrew/Caskroom/ngrok/3.9.0,3N6KtVt2Euc,a/ngrok
Command line: ngrok --version
SHA 256: 134a4b69f53731b6fac0a60ee2c7eef9450b966dd51b895c10fc5705a4211a55
MD5 Hash data: fdfd63ad0cbcb0e6d8aa0d6131de00d5
Full detection details: https://falcon.eu-1.crowdstrike.com/activity/XXXXXX
Platform: Mac
IP address: XX.XX.XX.XX
User name: stephen.ball
Detected: May. 20, 2024 15:42:09 local time, (2024-05-20 14:42:09 UTC)
Last behavior: May. 20, 2024 15:42:09 local time, (2024-05-20 14:42:09 UTC)

Now, obviously this is nothing to do with 1password, but looking at the process breakdown it was launched by the 1password cli

I was indeed running aws-vault exec deploy -- op run --env-file=.env -- terraform plan at the time, so that explains why bash inside fish (fish is the shell I use, and knowing what aws-vault does it seems likely it launches bash)

what I don't understand is why op would be launching ngrok? I don't have it in my list of configured plugins

alias gh="op plugin run -- gh"
alias vault="op plugin run -- vault"

Thanks

1Password Version: 8.10.32
Extension Version: Not Provided
OS Version: macOS 14.5
Browser: Not Provided

Comments

  • rahulgk
    rahulgk
    Community Member

    We have noticed the same behaviour when one of our colleagues installed 1password cli using home brew and then crowdstrike flagged the ngrok as PUP.

  • REBELinBLUE
    REBELinBLUE
    Community Member
    edited May 22

    I have ngrok installed on my personal machine but haven't launched it since doing so, yesterday when running gh repo clone foo/bar I got the following (gh is wrapped alias gh="op plugin run -- gh")

    So 1password CLI definitely seems to be trying to run it.

    I assume 1password is trying to find out if you have the commands installed for the various things it has plugins for, but it doesn't feel right that it should do this when running op run in general, only if you are trying to use the specific plugin or configure the plugin.

    I'm sure it's not, but it looks dodgy, given the actual purpose of ngrok

  • REBELinBLUE
    REBELinBLUE
    Community Member

    Support have replied to me

    I'm happy to help provide some context of that ngrok version check.

    Thanks for pointing this out - we do have a check for the version of the ngrok however it's supposed to only be run when a user is making use of the ngrok shell plugin. The Development team has been informed and will be moving this invocation to only be used after the ngrok shell plugin is invoked. We only check the version of ngrok installed, and do not otherwise use or invoke its functionality.

    This behavior does not have any security ramifications but is definitely unexpected behavior. We have logged a feature issue to rectify this unexpected behavior and my apologies for any inconvenience it has caused! If you are interested I can track this issue and as any updates occur I can reach back out.

  • nickhammond
    nickhammond
    Community Member

    I'm still seeing the prompt for ngrok, has this update been released? I'm on 1P CLI 2.30.0.

    I know it's mentioned that it's not a security concern but due to the nature of ngork(tunneling) it's an alarming thing to prompt to run this when you're just trying to fetch a credential via the 1P CLI.