Gatsby: Possible ransomware within gatsby-plugin-sass?

Created on 1 Dec 2018 · 6Comments · Source: gatsbyjs/gatsby

Summary

Can't run gastby build if using gatsby-plugin-sass, the process gets killed by anti-malware that idnetifies the node process running as Potential ransomware was terminated.

Relevant information

Hi, so this is a bit weird. I'm working on a gatsby project and develop always works fine. At some point gatsby build stopped working. The process gets killed by a work-mandated anti-malware program called Carbon Black Defense. It keeps killing gastby build with a message saying Potential ransomware was terminated. Now this could obviously be some false positive, but I have tinkered with the repo and noticed that if I comment out gatsby-plugin-sass inside gatsby-config.js it works fine (but of course produces some messed up stylesheets due to no sass support now).

I googled a bunch but could find anything. Also, at the same that this issue started, my deploys to zeit Now are failing as well without a specific error:

{ Error: An error running "now-build" script in "package.json"
    at Object.exports.build (/tmp/utils/build-module/node_modules/@now/static-build/index.js:29:11)
    at <anonymous> reported: true }

Environment (if relevant)

System:
OS: macOS High Sierra 10.13.6
CPU: x64 Intel(R) Core(TM) i7-8750H CPU @ 2.20GHz
Shell: 5.3 - /bin/zsh
Binaries:
Node: 11.0.0 - /usr/local/bin/node
Yarn: 1.9.4 - ~/.yarn/bin/yarn
npm: 6.4.1 - /usr/local/bin/npm
Browsers:
Chrome: 70.0.3538.77
Firefox: 59.0.2
Safari: 12.0.1
npmPackages:
gatsby: ^2.0.59 => 2.0.59
gatsby-image: ^2.0.20 => 2.0.22
gatsby-plugin-manifest: ^2.0.9 => 2.0.11
gatsby-plugin-react-helmet: ^3.0.2 => 3.0.3
gatsby-plugin-sass: ^2.0.5 => 2.0.5
gatsby-plugin-sharp: ^2.0.12 => 2.0.14
gatsby-plugin-styled-components: ^3.0.4 => 3.0.4
gatsby-source-filesystem: ^2.0.8 => 2.0.10
gatsby-transformer-sharp: ^2.1.8 => 2.1.9
npmGlobalPackages:
gatsby-cli: 2.4.4

File contents (if changed)

gatsby-config.js:

module.exports = {
  siteMetadata: {
    title: "Uno",
  },
  plugins: [
    "gatsby-plugin-react-helmet",
    {
      resolve: `gatsby-plugin-manifest`,
      options: {
        name: "Introducing Uno",
        short_name: "uno",
        start_url: "/",
        background_color: "#663399",
        theme_color: "#663399",
        display: "minimal-ui",
        icon: "src/images/gatsby-icon.png", // This path is relative to the root of the site.
      },
    },
    "gatsby-plugin-sass",
    "gatsby-plugin-styled-components",
  ],
};

package.json:

{
  "dependencies": {
    "@researchgate/react-intersection-observer": "^0.7.4",
    "babel-plugin-styled-components": "^1.9.2",
    "bootstrap": "^4.1.3",
    "gatsby": "^2.0.59",
    "gatsby-image": "^2.0.20",
    "gatsby-plugin-manifest": "^2.0.9",
    "gatsby-plugin-react-helmet": "^3.0.2",
    "gatsby-plugin-sass": "^2.0.5",
    "gatsby-plugin-sharp": "^2.0.12",
    "gatsby-plugin-styled-components": "^3.0.4",
    "gatsby-source-filesystem": "^2.0.8",
    "gatsby-transformer-sharp": "^2.1.8",
    "intersection-observer": "^0.5.0",
    "jquery": "^3.3.1",
    "node-sass": "^4.10.0",
    "react": "^16.6.3",
    "react-dom": "^16.6.3",
    "react-helmet": "^5.2.0",
    "styled-components": "^4.1.2"
  },
  "keywords": [
    "gatsby"
  ],
  "license": "MIT",
  "scripts": {
    "build": "gatsby build",
    "develop": "gatsby develop",
    "format": "prettier --write '**/*.js'",
    "test": "echo \"Error: no test specified\" && exit 1",
    "start": "serve public/"
  },
  "devDependencies": {
    "exports-loader": "^0.7.0",
    "prettier": "^1.14.3"
  },
  "repository": {
    "type": "git",
    "url": "https://github.com/gatsbyjs/gatsby-starter-default"
  }
}

gatsby-node.js: N/A
gatsby-browser.js: N/A
gatsby-ssr.js: N/A

Source

liorbrauer

All 6 comments

Hey!

So, I'm not sure we're going to be able to assist a ton here. It sounds like it's an issue with the malware detection, and specifically some type of false positive.

Initializing a new project, adding gatsby-plugin-sass, and then running npm audit yields the following results:

=== npm audit security report ===

found 0 vulnerabilities
in 24 scanned packages

So it seems like we're pretty good here from our end. As far as debugging this further--is there more info provided by the tool?

Also, at the same that this issue started, my deploys to zeit Now are failing as well without a specific error:

Does now-build run the build script? I'd imagine if one fails, the other will too. It could also be related to the recent release of now v2.

DSchau on 1 Dec 2018

Hey, I checked our published plugin ( https://registry.npmjs.org/gatsby-plugin-sass/-/gatsby-plugin-sass-2.0.5.tgz ) and it doesn't seems like this problem could come directly from that - things to check would be dependencies (and their dependencies):

node-sass
sass-loader (webpack loader wrapper around node-sass)

pieh on 1 Dec 2018

I've just tried publishing to now with @now/static-build example using gatsby-plugin-sass and it was published successfully. So I would think that what @DSchau said about now v2 seems most likely here.

pieh on 1 Dec 2018

Alright, thank you both for your swift input. I'll keep investigating and report if I find anything. I opened this issue mainly to see if others have encountered a similar issue.

liorbrauer on 2 Dec 2018

I just bumped in the same issue. Again, with Carbon Black Defense. In my case, if I remove gatsby-plugin-manifest it works fine.

I cannot develop or build, it gets identified as "Ransomware". @liorbrauer, did you find any workaround? The funny thing is that I have always had Carbon Black running, and it was fine.