WARNING: Fake bimorphNodes package on the Package Manager

I’ve discovered a fake bimorphNodes package appearing on the package manager which includes dll’s spliced from earlier versions. I have no idea what this person is up to nor if it contains some malicious code but I strongly suggest you do not download it nor mistake it for the genuine package.

The genuine BimorphNode package can be easily identified by the following:

  1. It has over 130,000 downloads at the time of writing.
  2. It is named bimorphNodes with a lowercase ‘b’ to match the Bimorph brand logo.
  3. Its published by thomas@bimorphBIM. Packages from bimorph are only ever published using this user name.

I’ve reported this infraction to @solamour who as we know is really awesome and is quickly removing the imposter package. I hope they improve the package manager to stop this type of problem from getting out of hand as Dynamo increases it userbase, as it seems incredibly easy to exploit.


Sorry to hear that! :slightly_frowning_face:
I was wondering if something like this would happen eventually…

Really sad to hear this.
Good that you point that out so that we all start to think about the security even here.


1 Like

Last week we discussed this issue coincidental and we came to the conclusion it could not happen. Without the original credentials is it not possible to hijack a package. But I didn’t think of publishing a lookalike.

It is hard to believe someone bothers to write suspicious software for such a specific group, so probably someone just takes a ride on your success. But we should be aware that it is possible to install risky packages.

1 Like