-= Per source details. Do not edit below this line.=-
The package's METADATA declares Requires-Dist: ruamel-yaml-clibz==0.3.5, a typosquat of the well-known ruamel-yaml-clib (note the trailing 'z'). Installing nvidia-nat-semantic-kernel via pip will silently resolve and install ruamel-yaml-clibz from PyPI, bringing whatever code that lookalike package ships into the installer's environment. The substitution is inconsistent with the rest of the dependency list, which uses standard upstream names, and ruamel-yaml-clib (without the z) is the canonical C-extension companion to ruamel.yaml that the YAML stack normally requires. This is the dependency-confusion / pull-through-typosquat pattern: the host package is the vector, and the harm arrives through the named transitive.
{
"malicious-packages-origins": [
{
"versions": [
"1.8.0a20260521"
],
"id": "IN-MAL-2026-003799",
"modified_time": "2026-05-21T10:47:05Z",
"sha256": "fd31ef3bb7acb152519e55b43037368e8dfc21d444050bec7739778c4ce73381",
"import_time": "2026-05-26T05:51:20.196367971Z",
"source": "amazon-inspector"
},
{
"versions": [
"1.8.0a20260607"
],
"id": "IN-MAL-2026-005859",
"import_time": "2026-06-12T19:43:40.957542887Z",
"modified_time": "2026-06-12T19:03:27Z",
"sha256": "f32e25245e0ef36f469203aba98a1b9f2da197e8df3d4333e979f8772ff53535",
"source": "amazon-inspector"
},
{
"versions": [
"1.9.0a20260611"
],
"id": "IN-MAL-2026-005860",
"import_time": "2026-06-12T19:43:41.035200828Z",
"modified_time": "2026-06-12T19:03:29Z",
"sha256": "fe66a4b0f7f00b8e8a9abd877b3ab0531d56906cc11f6fa6ecaddd4b0bebbbe1",
"source": "amazon-inspector"
}
]
}{
"evidence_files": [
{
"tlsh": "ad4165a52a850afa3bc108c77b8d591ad19aca0ce74e18e5f5e5c1c542ac77283fc0bd",
"sha256": "40cdbeb77ef82d1a17fef0745c9d3949943788c6af73ab2d186aafba34232d4b",
"path": "nvidia_nat_semantic_kernel-1.8.0a20260521.dist-info/METADATA"
}
],
"package_integrity": [
{
"filename": "nvidia_nat_semantic_kernel-1.8.0a20260521-py3-none-any.whl",
"hashes": {
"md5": "83c6ac5c5c9ce3ea59d7aaca4651bdf1",
"sha256": "ccae67168c818fbc122454565bd1498f8b4dcfca534b6dc9b9a86af8b8110f39",
"blake2b_256": "5d2e1abdc5dbba5c91506af481af0149c0d80161c31e73508a9d27c57dd56bcd"
}
}
]
}
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/pypi/nvidia-nat-semantic-kernel/MAL-2026-4760.json"