Thanks for posting. I’m not a security expert and I don’t know the file in question.
Please note the file is not downloaded to your server directly and will not run on your server directly. Instead it will run in your browser - for example in a notebook.
Whether that file is a file from HoloViz and whether it is in fact dangerous someone else will have to look at.
HoloViz is an open source, free and community driven project. It would surprise me if anyone in the community on purpose contributed a file with a security issue.
Thanks for reporting this, we take this very seriously however I’m a little confused. I don’t really understand in what form we’re either bundling or referring to the URL you are referencing:
Please provide some more detail where and how you encountered this file being loaded. I cannot imagine any of our libraries are using this file in any way.
I think that security scanner is simply very confused, that image is a PNG hosted on GitHub and PNG files cannot embed any external JS or PHP. This sounds like it has previously found malware on the GitHub domain and is now flagging any resources loaded from there. GitHub can host effectively anything since anyone can host stuff there so this sounds like a false alarm.
Again I very much appreciate your concern but from a technical perspective there is simply no way that I’m aware of that would allow embedding executable JS or PHP in a PNG file. If you know of any exploits that would allow this I’d be very happy to be proven wrong but automated virus scanners have plenty of false positives.