Question / Help Keylogging Malware hidden in OBS?

[IAMJOHNCULLEN]

After upgrading my OS to Catalina, I received a messaged that "sh" wants to log all my keystrokes...
Pretty certain it's coming from the OBS install, as it doesn't pop up until I first attempt to launch OBS. Once "sh" is on your machine, it appears to be a "hidden app" with no icon. It is difficult to find or eradicate without re-installing the OS.

Anyone else having experience with "sh"..??

 

[MorluneTV]

I saw exactly the same thing you described today when I installed OBS on my MacBook Pro. Interested to learn more about this.

 

[ricardomartins]

It's probably related to the shortcuts feature.
Obs is recommended by many big companies out there, and its code is open source. If it was the case, probably someone would have pointed that before.

 

[tcs]

Hi, I think its some malware, if the access require should be named after "OBS" not "sh". I did a screencap and saw the list related to "sh". Anyone from OBS can address this?

"Sh" requests:
Accessibility
Input Monitoring
Keystroke
System Event
Bin

This is something unusual for OBS after using for over 3 years.

 

[DiscoveryJ]

I've had this as well and am nervous whether to allow or not. How do we get clarity from OBS on this?

 

[Narcogen]

Sh is just the shell you're using when you open terminal. It's located at /bin/sh

That means a script that runs in sh is trying to do this.

I've installed the latest OBS and I don't have that. Where was the copy of OBS you installed downloaded from?

 

[WizardCM]

macOS Catalina introduces more aggressive checks and notifications when it comes to asking for permission for things, building on the changes in Mojave.

OBS Studio v24.0 and below use a shell script (.sh) to launch the macOS binary (found here). OBS requires access to your keyboard to listen for hotkeys that you configure. Therefore, Catalina is asking if you would like OBS (via its parent process, sh) to allow you to use hotkeys when you have other applications focused. It's definitely not a keylogger or malware.

This script has remained largely untouched for a long time due to how few macOS devs are on the team. The macOS builds we distribute are pulled directly from our public CI, which pulls from GitHub master.

However, due to the heavy permission changes in Catalina (which cause the message you're seeing, and other crashes/issues), @DDRBoxman has recently put in a lot of effort to overhaul how we build & package macOS. You can find details on the test build here.
Once you've updated to the test build, and when we've released 24.1 and above (no ETA), you can revoke the keyboard access permission from sh.

 

[tcs]

Sh is just the shell you're using when you open terminal. It's located at /bin/sh

That means a script that runs in sh is trying to do this.

I've installed the latest OBS and I don't have that. Where was the copy of OBS you installed downloaded from?

Hi Narcogen, it's from the attached:

 

[tcs]

macOS Catalina introduces more aggressive checks and notifications when it comes to asking for permission for things, building on the changes in Mojave.

OBS Studio v24.0 and below use a shell script (.sh) to launch the macOS binary (found here). OBS requires access to your keyboard to listen for hotkeys that you configure. Therefore, Catalina is asking if you would like OBS (via its parent process, sh) to allow you to use hotkeys when you have other applications focused. It's definitely not a keylogger or malware.

This script has remained largely untouched for a long time due to how few macOS devs are on the team. The macOS builds we distribute are pulled directly from our public CI, which pulls from GitHub master.

However, due to the heavy permission changes in Catalina (which cause the message you're seeing, and other crashes/issues), @DDRBoxman has recently put in a lot of effort to overhaul how we build & package macOS. You can find details on the test build here.
Once you've updated to the test build, and when we've released 24.1 and above (no ETA), you can revoke the keyboard access permission from sh.

Hi WizardCM, seem to have more warning from many recent updates for macOS..

 

[WizardCM]

Hi WizardCM, seem to have more warning from many recent updates for macOS..

This is currently expected (I believe this will change for the 24.1 release but I'm not 100% sure) as the installer isn't signed, but the installed package is signed. You can click the '?' icon to bypass the dialog.

 

[tcs]

This is currently expected (I believe this will change for the 24.1 release but I'm not 100% sure) as the installer isn't signed, but the installed package is signed. You can click the '?' icon to bypass the dialog.

Alright thanks : )

 

[dulcedulce]

This is what I got on July 4th 2020. Program is tainted, god knows what info its downloading to whom from the people that already have it.

 

[tixrus]

This is currently expected (I believe this will change for the 24.1 release but I'm not 100% sure) as the installer isn't signed, but the installed package is signed. You can click the '?' icon to bypass the dialog.

 

[tixrus]

I just upgraded to Catalina and downloaded version 26.0.2 64 bit. I'm setting it up and getting this and I know what 'sh' is but mine is OBS asking for this permission, like some other posters have reported. So it didn't change for 24.1 I guess but hell IDK, maybe only the text of the dialog box changed and it means nothing. What do you lose by NOT allowing it? Will the software not work at all or will you just not be able to do keystroke shortcuts. I downloaded my OBS from an official site I think. There is no answer here that is reassuring, and some that are ignorant alarmist (NO sh is not malware!!!) but the idea that apps have been keylogging all along through accessibility is disturbing, and now you have to specificaly grant them permission to do what they have been doing in previous OS anyway (am I understanding that correctly) especially since we were promised that they would fix this. :

 

[WizardCM]

I just upgraded to Catalina and downloaded version 26.0.2 64 bit. I'm setting it up and getting this and I know what 'sh' is but mine is OBS asking for this permission, like some other posters have reported. So it didn't change for 24.1 I guess but hell IDK, maybe only the text of the dialog box changed and it means nothing. What do you lose by NOT allowing it? Will the software not work at all or will you just not be able to do keystroke shortcuts. I downloaded my OBS from an official site I think. There is no answer here that is reassuring, and some that are ignorant alarmist (NO sh is not malware!!!) but the idea that apps have been keylogging all along through accessibility is disturbing, and now you have to specificaly grant them permission to do what they have been doing in previous OS anyway (am I understanding that correctly) especially since we were promised that they would fix this. :View attachment 62199

Per an early response of mine:

OBS requires access to your keyboard to listen for hotkeys that you configure. Therefore, Catalina is asking if you would like OBS to allow you to use hotkeys when you have other applications focused.

If you choose to Deny, you won't be able to use hotkeys when other windows are focused. Otherwise, OBS should continue to work as normal. In this particular case, another term for what OBS is doing would be "listening for specific keystrokes" rather than "keylogging". We agree keyloggers are bad and would never use/store any keys you didn't explicitly add to Hotkeys or as part of OBS' standard keyboard shortcuts. Additionally, no keypress information is ever sent to any servers and it's kept strictly in your scene collection/settings file.