Flagged by SentinelOne scan

[dylanlan]

Hello,

We tried testing out lefthook for some git hooks this week, but lefthook got flagged by SentinelOne on one of our developer MacBooks as potentially malicious, from it apparently downloading a @evilmartians/lefthook/bin/lefthook_windows_386/lefthook.exe file.

We're gonna try switching to husky instead, but I figured I'd post some details here under the assumption that it was just a bug and not actually malicious. It looks like the code might try to download a lefthook.exe if it detects that it's running on windows: https://github.com/evilmartians/lefthook/blob/master/packaging/npm-bundled/get-exe.js#L10

Details:
Laptop: MacBook Pro, 2021
Processor: Apple M1 Chip
macOS: Sonoma 14.1.1
Lefthook version: 1.5.5
Node: 18.18.0
Yarn: 3.6.3

Scan details:

• We had installed lefthook@1.5.5 into our repo package.json, created a .lefthook directory, and a lefthook.yml config file
• The developer had pulled this new dependency, ran a yarn install, and done various development in our own code
• The developer hadn't explicitly ran lefthook install, as far as I know
• The scan complained about this file: /Users/developer.name/.npm/_npx/<hash>/node_modules/@evilmartians/lefthook/bin/lefthook_windows_386/lefthook.exe

I'm pretty sure this was just a false positive scan freaking out about the .exe file download on a MacBook - this lefthook project and repo appear legit to me. I don't have reproduction steps, so I created this as a discussion instead of an issue.

I'm not sure how it ended up installing @evilmartians/lefthook under the npx home directory - as far as I know, the developer was only running yarn install in the repo, and not using npx. We did have a package.json script that ran lefthook install, but the developer doesn't remember explicitly running that. We had at least 4 other developers on different MacBooks also install the dependency and it didn't seem to get flagged (so I'm assuming it didn't download the .exe for them, but I can't fully confirm), so it seems like something went funky for just one developer.

It looks like the code is checking for Windows with ["win32", "cygwin"].includes(process.platform) - maybe that ended up being true on their MacBook somehow, but I'm not sure.

Also, when reporting this to our Security team, it initially sounded like another leftpad fiasco: we had wanted to install lefthook, but ended up with @evilmartians/lefthook, which sounds a bit suspicious, haha.

Regardless, it seems strange that it downloaded a lefthook_windows_386/lefthook.exe file on an M1 MacBook. I haven't found any documentation yet that mentions M1s aren't supported, and it had looked like it was functioning correctly on a few of our M1s. Please let me know if there's any other information that would be helpful!

[Envek]

Hey, thanks for the message.

It seems that you have installed @evilmartians/lefthook NPM package that have binaries for all platforms bundled into it (including Windows binaries).

Switch to lefthook (without namespace prefix).

---

Historically, lefthook has several NPM packages:

1. lefthook that will install the proper subpackage via optionalDependencies trick in package.json, see https://github.com/evilmartians/lefthook/pull/281/files#diff-1e25d14be7aafe70f04f41eed0ff12f6ff41dff920a672946b48e6c3e790cc49R21-R28

2. @evilmartians/lefthook with pre-bundled binaries for all architectures: it weights more than 60 MiB, but doesn't need to fetch anything else.

3. @evilmartians/lefthook-installer that will download matching binary file on installation via post-install hook.

See #273 and #281 and packaging directory in the source code repository for implementation details.

[dylanlan]

Thanks for the info and context! I'm like 99% sure that we had only installed the lefthook package itself, and not the @evilmartians/lefthook one. I didn't see any mention of @evilmartians in our yarn.lock file, and here's our package.json diff when we removed it:

It sounds like accidentally installing @evilmartians/lefthook would have caused the .exe download to get flagged, since it has the windows binary bundled by default - that makes sense to me. I was just wondering if there's a chance that lefthook itself could've inadvertently installed @evilmartians/lefthook which includes the binary, but sounds like it didn't / shouldn't.

It felt like something else was involved, especially since it had ended up installing under the ~/.npm/_npx directory, rather than the repository's node_modules directory. Maybe our developer had ran something that accidentally installed it - I'll try double checking with them again.

Regardless, we're wanting to avoid future threat alerts from SentinelOne, even if they might be false positives, so we're still planning to switch to husky. We might revisit lefthook in the future, though - it seemed easy to configure while we were trying it out!

Thanks!

[dylanlan]

A coworker found that it might've been this npx @evilmartians/lefthook line (or a similar one somewhere else) that possibly caused that package to get installed in the developer's .npm/_npx directory. That's the only new theory on our end for this mystery! Still unsure why it seemed to happen to only one of our developers, though.