Hmm. I scan my own dev machine constantly and nobody else has access to it, and I’m sure github works hard to keep files secure once uploaded. Nobody else has reported an issue (the file was downloaded 11216 times). So I’m confident the file itself was safe.
The two possibilities that come to mind are that:
- The file has become infected after arriving on your machine. Have you done a full scan of your computer?
- You were somehow the victim of a man-in-the-middle attack, whereby someone pretends to be giving you the file that you were expecting but actually supplies one that has been altered (had a trojan installed on its way to you).
- Maybe a false alarm from your antivirus.
Number 2. seems unlikely in the extreme, but it might be technically possible because the docs site is an http site. We might need to forward users to the github site rather than pass the file back from it to make this impossible, but I’ll need to check with an expert that my intuitions are correct on whether/what the potential threat is first.
What’s interesting is that I’ve had a separate report from an individual where it looks to me like a virus had been caught trying to alter a file within PsychoPy. She was worried that this was PsychoPy containing a virus but the screenshots she sent suggest that the psychopy file was the target of the virus not the cause.
Worrying to see two reports of activity in this domain though (having never had any such reports in the last 15 years!)