{"id":"MAL-2026-4761","summary":"Malicious code in openirf (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (cb17f2c97bd5a4cabcb86b5a51c9639749048f9675b6fa1d881e66d4d8b02958)\npyproject.toml lists `tdqm` as a runtime dependency alongside numpy, scipy, and matplotlib. The package's source code imports `tqdm` (the legitimate progress-bar library), and requirements.txt correctly lists `tqdm` — the pyproject entry is a one-character typo that resolves to a different, third-party-controlled PyPI package well-known as a typosquat of `tqdm`. Any installer running `pip install OpenIRF` will silently pull `tdqm` into their environment, executing whatever code that typosquat ships at install/import time. The mismatch between requirements.txt (`tqdm`) and pyproject.toml (`tdqm`) confirms this is a packaging error rather than intentional, but the installer-side harm is identical: an unrelated third-party package enters the dependency tree without the installer's awareness.\n","modified":"2026-05-27T00:32:14.079946276Z","published":"2026-05-19T21:48:55Z","withdrawn":"2026-05-26T22:13:04Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-05-26T05:50:21.197062366Z","source":"amazon-inspector","versions":["0.1.4a1"],"modified_time":"2026-05-19T21:48:55Z","sha256":"cb17f2c97bd5a4cabcb86b5a51c9639749048f9675b6fa1d881e66d4d8b02958","id":"IN-MAL-2026-003286"}]},"references":[{"type":"PACKAGE","url":"https://pypi.org/project/OpenIRF/0.1.4a1/"}],"affected":[{"package":{"name":"openirf","ecosystem":"PyPI","purl":"pkg:pypi/openirf"},"versions":["0.1.4a1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/pypi/openirf/MAL-2026-4761.json","indicators":{"evidence_files":[{"tlsh":"d01110b38be36d259a821150901e4516fef458035ec8a09e77e9818c9f7d8efc2fc82d","sha256":"2d688eef6b2f42e1774e29004c71103ef7df375e2cb6eda0626ca49a6b179f5c","path":"pyproject.toml"}],"package_integrity":[{"filename":"openirf-0.1.4a1-py3-none-any.whl","hashes":{"blake2b_256":"70bb9ac99d2c7b41f013d81f50af5c1efde48c333121799e7b799c5d330557a9","md5":"f82ea413b90d791ad325735e2a01214e","sha256":"50207eac8883910621e9504566f8caa1bf16e6248154a86ea2313b38ed75b929"}},{"filename":"openirf-0.1.4a1.tar.gz","hashes":{"blake2b_256":"e5b13621f5c8cfa21837e203ea85905a3acf8c5fe580d5628eb73ba66a5baf8c","md5":"568a3246629d6b3ff8d1dda6efa06d5a","sha256":"562aa535f2435c42ceaf50f35147b64032aedfc8716fa164cf929d1d88e30b1e"}}]},"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}