-= Per source details. Do not edit below this line.=-
pyproject.toml lists tdqm as a runtime dependency alongside numpy, scipy, and matplotlib. The package's source code imports tqdm (the legitimate progress-bar library), and requirements.txt correctly lists tqdm — the pyproject entry is a one-character typo that resolves to a different, third-party-controlled PyPI package well-known as a typosquat of tqdm. Any installer running pip install OpenIRF will silently pull tdqm into their environment, executing whatever code that typosquat ships at install/import time. The mismatch between requirements.txt (tqdm) and pyproject.toml (tdqm) confirms this is a packaging error rather than intentional, but the installer-side harm is identical: an unrelated third-party package enters the dependency tree without the installer's awareness.
{
"malicious-packages-origins": [
{
"sha256": "cb17f2c97bd5a4cabcb86b5a51c9639749048f9675b6fa1d881e66d4d8b02958",
"id": "IN-MAL-2026-003286",
"source": "amazon-inspector",
"import_time": "2026-05-26T05:50:21.197062366Z",
"modified_time": "2026-05-19T21:48:55Z",
"versions": [
"0.1.4a1"
]
}
]
}{
"evidence_files": [
{
"path": "pyproject.toml",
"tlsh": "d01110b38be36d259a821150901e4516fef458035ec8a09e77e9818c9f7d8efc2fc82d",
"sha256": "2d688eef6b2f42e1774e29004c71103ef7df375e2cb6eda0626ca49a6b179f5c"
}
],
"package_integrity": [
{
"filename": "openirf-0.1.4a1-py3-none-any.whl",
"hashes": {
"md5": "f82ea413b90d791ad325735e2a01214e",
"blake2b_256": "70bb9ac99d2c7b41f013d81f50af5c1efde48c333121799e7b799c5d330557a9",
"sha256": "50207eac8883910621e9504566f8caa1bf16e6248154a86ea2313b38ed75b929"
}
},
{
"filename": "openirf-0.1.4a1.tar.gz",
"hashes": {
"md5": "568a3246629d6b3ff8d1dda6efa06d5a",
"blake2b_256": "e5b13621f5c8cfa21837e203ea85905a3acf8c5fe580d5628eb73ba66a5baf8c",
"sha256": "562aa535f2435c42ceaf50f35147b64032aedfc8716fa164cf929d1d88e30b1e"
}
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/pypi/openirf/MAL-2026-4761.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
}
]