tee.exe binary dependency exhibiting illegitimate / unauthorized behavior · Issue #32431 · neovim/neovim.
Read in full here:
opened 04:40PM - 13 Feb 25 UTC
closed 12:10PM - 14 Feb 25 UTC
security
platform:windows
While installing/testing neovim in a Windows 11 sandbox environment for security… testing purposes before deploying in a commercial environment, the bundled tee.exe binary was classified as Trojan.Malware.300983.susgen. After doing my due diligence to rule out a false positive, I'm finding that this binary is exhibiting what I would consider suspicious behavior. Specifically, it is performing DNS lookups to fp2E7A.wpc.2BE4.phicdn.net and fp2e7a.wpc.phicdn.net, and making network connections to the following IPs with one of which being flagged as malicious (confirmed by VirusTotal, https://www.virustotal.com/gui/file/950eea4e17fa3a7e89fa2c55374037b5797b3f1a54fea1304634884ab42ec14d/relations):
UDP a83f:8110:0:0:700:700:2800:4000:53
TCP 20.99.184.37:443
TCP 20.99.133.109:443
TCP 23.216.147.64:443 (potentially malicious)
TCP 20.99.186.246:443
TCP 192.229.211.108:80
UDP a83f:8110:8d88:ffff:3083:de03:8d88:ffff:53
TCP 151.101.22.172:80
TCP 23.192.210.9:443 (res.public.onecdn.static.microsoft)
UDP 192.168.0.2:137
The tee utility and its expected behavior is fairly well-documented and known. I cannot find any justifiable explanation for this behavior.
The commit history shows that this binary was committed to the neovim/deps repo ~2 years ago via https://github.com/neovim/deps/commit/21c5e8bdda33521a6ed497b315e03265a2785cbc and that's where it's being sourced from when building neovim. Given this behavior, I'm inclined to suggest a root cause analysis should be performed and insist that this binary along with the others in the deps repo should be built from source.
This thread was posted by one of our members via one of our news source trackers.
