{"id":"MAL-2026-4764","summary":"Malicious code in pycalendar-api (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (bda873c38a1eee9ecea320371b0473466144f2bd41bc778dff8510cb5dcf4b5f)\npyproject.toml line 8 declares `httpxyz` as a runtime dependency (`dependencies = ['httpxyz',...]`), and `pycalendar_api/utils/http_client.py` imports `httpxyz` and exercises an API surface (`httpxyz.Client`, `httpxyz.AsyncClient`, `httpxyz.Timeout`, `httpxyz.HTTPTransport`, `httpxyz.AsyncHTTPTransport`, `event_hooks`) that is byte-identical to the well-known `httpx` HTTP client. `httpxyz` is not a recognized mainstream PyPI package; the name is a clear typosquat of `httpx`, and the README links to a non-canonical `https://httpxyz.org`. Any `pip install pycalendar-api` will resolve and install whatever package owns the name `httpxyz` on PyPI onto the installer's machine — a silent transitive that the installer never asked for and that mimics a legitimate library. This is the namespace-abuse / dependency-confusion shape: the lure package uses a typosquat name as a hard dependency to drag attacker-controlled (or attacker-claimable) code into every installer's environment, while presenting a legitimate-looking API.\n","modified":"2026-05-26T06:03:13.334871614Z","published":"2026-05-19T21:36:55Z","database_specific":{"malicious-packages-origins":[{"sha256":"bda873c38a1eee9ecea320371b0473466144f2bd41bc778dff8510cb5dcf4b5f","import_time":"2026-05-26T05:50:20.997623354Z","versions":["0.4.0"],"source":"amazon-inspector","id":"IN-MAL-2026-003284","modified_time":"2026-05-19T21:36:55Z"}]},"references":[{"type":"PACKAGE","url":"https://pypi.org/project/pycalendar-api/0.4.0/"}],"affected":[{"package":{"name":"pycalendar-api","ecosystem":"PyPI","purl":"pkg:pypi/pycalendar-api"},"versions":["0.4.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/pycalendar-api/MAL-2026-4764.json","cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"evidence_files":[{"sha256":"3bb56bebb5b843ceb2bc6c8f22af26d7b62c0bf5cd4bc05224ca160b9d70cb00","path":"pyproject.toml","tlsh":"5d51612299d51ab763c1008080841c01ef345d6b26cb78f857ab8b4c579dfb785bc43d"}],"package_integrity":[{"filename":"pycalendar_api-0.4.0-py3-none-any.whl","hashes":{"sha256":"63e1dee215e13ef5abbb86a354f466aeac06962db48de968510ecc63d8e08510","blake2b_256":"fe5c885eef92e303f9413d075b9c3f4af3e1acc0c1d83fed35409075d3e261e0","md5":"e0450d18283cb7a16d393403a584945e"}},{"filename":"pycalendar_api-0.4.0.tar.gz","hashes":{"sha256":"38d1a3e38b0b3052be9a8ba646b6922db73a7f507a60812b1e2a73438eb7be4b","blake2b_256":"584342d3650829be362979f62eca2e54b6db3da57745ca8da5e19d2ec6e68720","md5":"f854866b04e8bcfe77323d8f299a2a4c"}}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}