MAL-2026-4760

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/pypi/nvidia-nat-semantic-kernel/MAL-2026-4760.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4760
Withdrawn
2026-06-13T01:41:13Z
Published
2026-05-21T10:47:05Z
Modified
2026-06-15T00:15:55.963722813Z
Summary
Malicious code in nvidia-nat-semantic-kernel (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (fe66a4b0f7f00b8e8a9abd877b3ab0531d56906cc11f6fa6ecaddd4b0bebbbe1)

The package's METADATA declares Requires-Dist: ruamel-yaml-clibz==0.3.5, a typosquat of the well-known ruamel-yaml-clib (note the trailing 'z'). Installing nvidia-nat-semantic-kernel via pip will silently resolve and install ruamel-yaml-clibz from PyPI, bringing whatever code that lookalike package ships into the installer's environment. The substitution is inconsistent with the rest of the dependency list, which uses standard upstream names, and ruamel-yaml-clib (without the z) is the canonical C-extension companion to ruamel.yaml that the YAML stack normally requires. This is the dependency-confusion / pull-through-typosquat pattern: the host package is the vector, and the harm arrives through the named transitive.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.8.0a20260521"
            ],
            "id": "IN-MAL-2026-003799",
            "modified_time": "2026-05-21T10:47:05Z",
            "sha256": "fd31ef3bb7acb152519e55b43037368e8dfc21d444050bec7739778c4ce73381",
            "import_time": "2026-05-26T05:51:20.196367971Z",
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "1.8.0a20260607"
            ],
            "id": "IN-MAL-2026-005859",
            "import_time": "2026-06-12T19:43:40.957542887Z",
            "modified_time": "2026-06-12T19:03:27Z",
            "sha256": "f32e25245e0ef36f469203aba98a1b9f2da197e8df3d4333e979f8772ff53535",
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "1.9.0a20260611"
            ],
            "id": "IN-MAL-2026-005860",
            "import_time": "2026-06-12T19:43:41.035200828Z",
            "modified_time": "2026-06-12T19:03:29Z",
            "sha256": "fe66a4b0f7f00b8e8a9abd877b3ab0531d56906cc11f6fa6ecaddd4b0bebbbe1",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

PyPI / nvidia-nat-semantic-kernel

Package

Name
nvidia-nat-semantic-kernel
View open source insights on deps.dev
Purl
pkg:pypi/nvidia-nat-semantic-kernel

Affected ranges

Affected versions

1.*
1.8.0a20260521
1.8.0a20260607
1.9.0a20260611

Database specific

indicators
{
    "evidence_files": [
        {
            "tlsh": "ad4165a52a850afa3bc108c77b8d591ad19aca0ce74e18e5f5e5c1c542ac77283fc0bd",
            "sha256": "40cdbeb77ef82d1a17fef0745c9d3949943788c6af73ab2d186aafba34232d4b",
            "path": "nvidia_nat_semantic_kernel-1.8.0a20260521.dist-info/METADATA"
        }
    ],
    "package_integrity": [
        {
            "filename": "nvidia_nat_semantic_kernel-1.8.0a20260521-py3-none-any.whl",
            "hashes": {
                "md5": "83c6ac5c5c9ce3ea59d7aaca4651bdf1",
                "sha256": "ccae67168c818fbc122454565bd1498f8b4dcfca534b6dc9b9a86af8b8110f39",
                "blake2b_256": "5d2e1abdc5dbba5c91506af481af0149c0d80161c31e73508a9d27c57dd56bcd"
            }
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/pypi/nvidia-nat-semantic-kernel/MAL-2026-4760.json"