Summary
Microsoft Defender for Endpoint detected and blocked Trojan:MacOS/Multiverze
in the ngrok binary downloaded by this package's postinstall.js → download.js script.
ReversingLabs Spectra Assure independently confirms malware/tampering in this version:
https://secure.software/npm/packages/ngrok/5.0.0-beta.2
Timeline
- 2026-02-28 — Clean install of
ngrok@3.x (no issues)
- 2026-03-20 ~19:31 — Package updated to
5.0.0-beta.2 globally via npm
- 2026-03-20 23:42 UTC+1 — Defender detected and terminated malicious process
- 2026-03-21 23:50 — Incident confirmed, binary already removed by Defender
Technical details
- Package:
ngrok@5.0.0-beta.2 (this repo, bubenshchykov)
- Platform: macOS darwin-arm64
- Defender alert:
Trojan:MacOS/Multiverze — classification: Malicious, Status: Blocked
- Process name:
[2493] r (single-letter executable, classic masking technique)
- Download source:
https://bin.equinox.io/c/bNyj1mQVY4c/ngrok-v3-stable-darwin-arm64.zip
- Cache dir:
~/.ngrok/ (created at time of infection, now empty — binary removed)
- Bin dir:
node_modules/ngrok/bin/ — empty after Defender removal
Infection vector
postinstall.js calls download.js which fetches a binary ZIP from the equinox.io CDN
and extracts it to bin/ngrok. The downloaded binary contained the Multiverze payload.
This package has had no new releases in 3+ years and may have a compromised
maintainer account or compromised CDN path.
The official ngrok SDK is now @ngrok/ngrok — consider deprecating this package
and pointing users to the official one.
Evidence
Recommendation
- Deprecate this package on npm immediately
- Investigate whether the equinox.io CDN path
/c/bNyj1mQVY4c/ has been compromised
- Notify existing users (466 dependents on npm)
- Point users to the official
@ngrok/ngrok package
Summary
Microsoft Defender for Endpoint detected and blocked Trojan:MacOS/Multiverze
in the ngrok binary downloaded by this package's
postinstall.js→download.jsscript.ReversingLabs Spectra Assure independently confirms malware/tampering in this version:
https://secure.software/npm/packages/ngrok/5.0.0-beta.2
Timeline
ngrok@3.x(no issues)5.0.0-beta.2globally via npmTechnical details
ngrok@5.0.0-beta.2(this repo, bubenshchykov)Trojan:MacOS/Multiverze— classification: Malicious, Status: Blocked[2493] r(single-letter executable, classic masking technique)https://bin.equinox.io/c/bNyj1mQVY4c/ngrok-v3-stable-darwin-arm64.zip~/.ngrok/(created at time of infection, now empty — binary removed)node_modules/ngrok/bin/— empty after Defender removalInfection vector
postinstall.jscallsdownload.jswhich fetches a binary ZIP from the equinox.io CDNand extracts it to
bin/ngrok. The downloaded binary contained the Multiverze payload.This package has had no new releases in 3+ years and may have a compromised
maintainer account or compromised CDN path.
The official ngrok SDK is now
@ngrok/ngrok— consider deprecating this packageand pointing users to the official one.
Evidence
Recommendation
/c/bNyj1mQVY4c/has been compromised@ngrok/ngrokpackage