-= Per source details. Do not edit below this line.=-
pyproject.toml line 8 declares httpxyz as a runtime dependency (dependencies = ['httpxyz',...]), and pycalendar_api/utils/http_client.py imports httpxyz and exercises an API surface (httpxyz.Client, httpxyz.AsyncClient, httpxyz.Timeout, httpxyz.HTTPTransport, httpxyz.AsyncHTTPTransport, event_hooks) that is byte-identical to the well-known httpx HTTP client. httpxyz is not a recognized mainstream PyPI package; the name is a clear typosquat of httpx, and the README links to a non-canonical https://httpxyz.org. Any pip install pycalendar-api will resolve and install whatever package owns the name httpxyz on PyPI onto the installer's machine — a silent transitive that the installer never asked for and that mimics a legitimate library. This is the namespace-abuse / dependency-confusion shape: the lure package uses a typosquat name as a hard dependency to drag attacker-controlled (or attacker-claimable) code into every installer's environment, while presenting a legitimate-looking API.
{
"malicious-packages-origins": [
{
"versions": [
"0.4.0"
],
"id": "IN-MAL-2026-003284",
"modified_time": "2026-05-19T21:36:55Z",
"import_time": "2026-05-26T05:50:20.997623354Z",
"sha256": "bda873c38a1eee9ecea320371b0473466144f2bd41bc778dff8510cb5dcf4b5f",
"source": "amazon-inspector"
}
]
}"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/pycalendar-api/MAL-2026-4764.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
{
"package_integrity": [
{
"filename": "pycalendar_api-0.4.0-py3-none-any.whl",
"hashes": {
"md5": "e0450d18283cb7a16d393403a584945e",
"blake2b_256": "fe5c885eef92e303f9413d075b9c3f4af3e1acc0c1d83fed35409075d3e261e0",
"sha256": "63e1dee215e13ef5abbb86a354f466aeac06962db48de968510ecc63d8e08510"
}
},
{
"filename": "pycalendar_api-0.4.0.tar.gz",
"hashes": {
"md5": "f854866b04e8bcfe77323d8f299a2a4c",
"sha256": "38d1a3e38b0b3052be9a8ba646b6922db73a7f507a60812b1e2a73438eb7be4b",
"blake2b_256": "584342d3650829be362979f62eca2e54b6db3da57745ca8da5e19d2ec6e68720"
}
}
],
"evidence_files": [
{
"path": "pyproject.toml",
"sha256": "3bb56bebb5b843ceb2bc6c8f22af26d7b62c0bf5cd4bc05224ca160b9d70cb00",
"tlsh": "5d51612299d51ab763c1008080841c01ef345d6b26cb78f857ab8b4c579dfb785bc43d"
}
]
}