MAL-2026-4761

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/pypi/openirf/MAL-2026-4761.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4761
Withdrawn
2026-05-26T22:13:04Z
Published
2026-05-19T21:48:55Z
Modified
2026-05-27T00:32:14.079946276Z
Summary
Malicious code in openirf (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (cb17f2c97bd5a4cabcb86b5a51c9639749048f9675b6fa1d881e66d4d8b02958)

pyproject.toml lists tdqm as a runtime dependency alongside numpy, scipy, and matplotlib. The package's source code imports tqdm (the legitimate progress-bar library), and requirements.txt correctly lists tqdm — the pyproject entry is a one-character typo that resolves to a different, third-party-controlled PyPI package well-known as a typosquat of tqdm. Any installer running pip install OpenIRF will silently pull tdqm into their environment, executing whatever code that typosquat ships at install/import time. The mismatch between requirements.txt (tqdm) and pyproject.toml (tdqm) confirms this is a packaging error rather than intentional, but the installer-side harm is identical: an unrelated third-party package enters the dependency tree without the installer's awareness.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "cb17f2c97bd5a4cabcb86b5a51c9639749048f9675b6fa1d881e66d4d8b02958",
            "id": "IN-MAL-2026-003286",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:50:21.197062366Z",
            "modified_time": "2026-05-19T21:48:55Z",
            "versions": [
                "0.1.4a1"
            ]
        }
    ]
}
References
Credits

Affected packages

PyPI / openirf

Package

Affected ranges

Affected versions

0.*
0.1.4a1

Database specific

indicators
{
    "evidence_files": [
        {
            "path": "pyproject.toml",
            "tlsh": "d01110b38be36d259a821150901e4516fef458035ec8a09e77e9818c9f7d8efc2fc82d",
            "sha256": "2d688eef6b2f42e1774e29004c71103ef7df375e2cb6eda0626ca49a6b179f5c"
        }
    ],
    "package_integrity": [
        {
            "filename": "openirf-0.1.4a1-py3-none-any.whl",
            "hashes": {
                "md5": "f82ea413b90d791ad325735e2a01214e",
                "blake2b_256": "70bb9ac99d2c7b41f013d81f50af5c1efde48c333121799e7b799c5d330557a9",
                "sha256": "50207eac8883910621e9504566f8caa1bf16e6248154a86ea2313b38ed75b929"
            }
        },
        {
            "filename": "openirf-0.1.4a1.tar.gz",
            "hashes": {
                "md5": "568a3246629d6b3ff8d1dda6efa06d5a",
                "blake2b_256": "e5b13621f5c8cfa21837e203ea85905a3acf8c5fe580d5628eb73ba66a5baf8c",
                "sha256": "562aa535f2435c42ceaf50f35147b64032aedfc8716fa164cf929d1d88e30b1e"
            }
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/pypi/openirf/MAL-2026-4761.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    }
]