On creation of the helper which requires administrative credentials this refers to a URL https://perfops.glbcdn.net/500b-bench.jpg which is contained within a number of threat intelligence feeds as being malicious. Both JAMF Threat Intelligence filtering and Symantec Endpoint Protection flag this as a malware attempt.

https://www.virustotal.com/gui/url/2e5116b18367c186deb4caaa39149abc20f27886da5f222806edefcc1e7243d4/detection

It is also contained within a tracked VirusTotal distribution network via their threat intelligence platform: https://www.virustotal.com/graph/embed/g03866aa0da7746d591ae92eaed9f517606d714ec8a314841b7318c65418b2012?theme=dark

Looking through this data it is evident there's a number of different files served up from PDFs to documents etc that appear a non-malicious file format but in fact are masquerading as malware when that format is loaded.

This is often not deliberate and code is compiled from various sources, usually it ends up in the code without any sort of malicious intent. Even if deemed acceptable, it should still be removed as any code pointing to known malicious domains is not acceptable.

@lalaRLH just confirming this is in relation to Mist ?

Do you have more context relating to the URL? I cannot see any traces of https://perfops.glbcdn.net/500b-bench.jpg within the Mist source code or dependencies 🤔

Closing due to inactivity, will re-open if required 👍