Ransomware node detected by sophos when using NextJS

Unanswered

Sloth bear posted this in #help-forum

Sloth bearOP

2024-11-20T09:16:01.497Z

Sometimes when I am running a NextJS project, I get a warning

Ransomware node detected. /.nvm/versions/node/v18.20/bin/node

in sophos and I get a error

error: eperm: operation not permitted, open '/projects/.next/server/app-paths-manifest.json'

and I have to restart the development server. This happens for next-server process when I checked the process id in sophos. Any idea on how to resolve this or is it a bug from Nextjs?

23 Replies

@Sloth bear Sometimes when I am running a NextJS project, I get a warning Ransomware node detected. /.nvm/versions/node/v18.20/bin/node in sophos and I get a error error: eperm: operation not permitted, open '/projects/.next/server/app-paths-manifest.json' and I have to restart the development server. This happens for `next-server` process when I checked the process id in sophos. Any idea on how to resolve this or is it a bug from Nextjs?

gin

2024-11-20T09:36:38.239Z

both are different things tho

nvm has nothing to do with nextjs

check that you have the correct read write permissions set

@gin both are different things tho

Sloth bearOP

2024-11-20T15:23:05.544Z

exactly but it doesn't matter if I have installed node through nvm or installed the binaries, the warning comes in sophos

@gin nvm has nothing to do with nextjs

Sloth bearOP

2024-11-20T15:23:41.003Z

It is only happening while I'm working with NextJS project

As soon the I get the ransomware warning, thw below error comes in dev server

Error: EPERM: operation not permitted, open '/Volumes/Workspace/Projects/test/.next/server/app-paths-manifest.json'

and this write was by the process next-server when I checked which process using ps command

"use php"

2024-11-20T17:41:59.834Z

What antivirus are you using

@"use php" What antivirus are you using

Sloth bearOP

2024-11-21T06:13:51.266Z

Sophos Central

"use php"

2024-11-21T09:06:25.350Z

You might have to contact the customer support of that antivirus

@Sloth bear As soon the I get the ransomware warning, thw below error comes in dev server Error: EPERM: operation not permitted, open '/Volumes/Workspace/Projects/test/.next/server/app-paths-manifest.json' and this write was by the process `next-server` when I checked which process using `ps` command

gin

2024-11-21T09:13:05.210Z

what user are u running your dev server?

u need to give that user read write permissions

and also delete your .next folder, give the user correct permissions and try again

Your Sophos thing is throwing that warning because the node runtime is saved in the nvm folder

again, has nothing to do why nextjs isnt starting

if u cant do that cause your server is managed by someone else, u need to contact the administrator and tell him to whitelist that folder or give appropriate permissions

@gin and also delete your .next folder, give the user correct permissions and try again

Sloth bearOP

2024-11-21T14:20:20.805Z

Okay. Will check the permission and try this

@gin and also delete your .next folder, give the user correct permissions and try again

Sloth bearOP

2024-11-27T07:10:43.801Z

The issue still exists. Sophos crypto guard detects node as ransomware

@gin again, has nothing to do why nextjs isnt starting

Sloth bearOP

2024-11-27T07:11:16.784Z

Next js projects starts, but the warning is still present