yagil
commented
5 days ago Thanks for the report @addictivepixels. We will look into this asap.
In the meantime if you (and others) have a way to report this to PyPi as users, please do
Open addictivepixels opened 1 week ago
yagil
commented
5 days ago Thanks for the report @addictivepixels. We will look into this asap.
In the meantime if you (and others) have a way to report this to PyPi as users, please do
addictivepixels
commented
4 days ago Update: that package has been removed by admins 😁
On Thu, Oct 17, 2024, 8:55 PM Yagil Burowski @.***> wrote:
Thanks for the report @addictivepixels https://github.com/addictivepixels. We will look into this asap
— Reply to this email directly, view it on GitHub https://github.com/lmstudio-ai/lms/issues/83#issuecomment-2421007556, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA6IRAK3CYWA77WAR3SDUY3Z4BL7LAVCNFSM6AAAAABP4SIAG2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIMRRGAYDONJVGY . You are receiving this because you were mentioned.Message ID: @.***>
Stumbled upon this packaging claiming to be "official". https://pypi.org/project/lmstudio-api/1.0.1/
Maintainer name was odd, so I inspected the inner files (without actually installing the package) - when doing so, I found that init.py is coded to download an exe file from https://filego.app into the local user's startup folder.
With the inner comment of "dropper / loader" found in init.py this is highly likely to be malicious.
Wanted to make the LM-Studio maintainers aware it looks like someone is using their popularity to push malicious PyPi packages.