The recommended installation instructions for the node version manager (nvm) are to download and run the install_nvm.sh
bash script, which creates the ~/.nvm
folder, and the nvm script, ~/.nvm/nvm.sh
. On a macOS system protected with SentinelOne anti-malware software this triggers SentinelOne to alert and quarantine (i.e. remove) nvm.sh
.
Does NVM represent in some way a legitimate threat? If not, is there a way to stop SentinelOne from quarantining it?
The affected versions of NVM are 0.39.0, 0.39.1, 0.39.2, 0.39.3 (current, as I write this question).
To reproduce, run the NVM installer script on macOS (13.4).
curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.1/install.sh | bash
Look for a SentinelOne (22.4.2.6599) notification message to popup:
“Threat detected. Detected malicious file. File Name nvm.sh”