MAL-2026-4764

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/pycalendar-api/MAL-2026-4764.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4764
Published
2026-05-19T21:36:55Z
Modified
2026-05-26T06:03:13.334871614Z
Summary
Malicious code in pycalendar-api (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (bda873c38a1eee9ecea320371b0473466144f2bd41bc778dff8510cb5dcf4b5f)

pyproject.toml line 8 declares httpxyz as a runtime dependency (dependencies = ['httpxyz',...]), and pycalendar_api/utils/http_client.py imports httpxyz and exercises an API surface (httpxyz.Client, httpxyz.AsyncClient, httpxyz.Timeout, httpxyz.HTTPTransport, httpxyz.AsyncHTTPTransport, event_hooks) that is byte-identical to the well-known httpx HTTP client. httpxyz is not a recognized mainstream PyPI package; the name is a clear typosquat of httpx, and the README links to a non-canonical https://httpxyz.org. Any pip install pycalendar-api will resolve and install whatever package owns the name httpxyz on PyPI onto the installer's machine — a silent transitive that the installer never asked for and that mimics a legitimate library. This is the namespace-abuse / dependency-confusion shape: the lure package uses a typosquat name as a hard dependency to drag attacker-controlled (or attacker-claimable) code into every installer's environment, while presenting a legitimate-looking API.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "0.4.0"
            ],
            "id": "IN-MAL-2026-003284",
            "modified_time": "2026-05-19T21:36:55Z",
            "import_time": "2026-05-26T05:50:20.997623354Z",
            "sha256": "bda873c38a1eee9ecea320371b0473466144f2bd41bc778dff8510cb5dcf4b5f",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

PyPI / pycalendar-api

Package

Affected ranges

Affected versions

0.*
0.4.0

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/pycalendar-api/MAL-2026-4764.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "pycalendar_api-0.4.0-py3-none-any.whl",
            "hashes": {
                "md5": "e0450d18283cb7a16d393403a584945e",
                "blake2b_256": "fe5c885eef92e303f9413d075b9c3f4af3e1acc0c1d83fed35409075d3e261e0",
                "sha256": "63e1dee215e13ef5abbb86a354f466aeac06962db48de968510ecc63d8e08510"
            }
        },
        {
            "filename": "pycalendar_api-0.4.0.tar.gz",
            "hashes": {
                "md5": "f854866b04e8bcfe77323d8f299a2a4c",
                "sha256": "38d1a3e38b0b3052be9a8ba646b6922db73a7f507a60812b1e2a73438eb7be4b",
                "blake2b_256": "584342d3650829be362979f62eca2e54b6db3da57745ca8da5e19d2ec6e68720"
            }
        }
    ],
    "evidence_files": [
        {
            "path": "pyproject.toml",
            "sha256": "3bb56bebb5b843ceb2bc6c8f22af26d7b62c0bf5cd4bc05224ca160b9d70cb00",
            "tlsh": "5d51612299d51ab763c1008080841c01ef345d6b26cb78f857ab8b4c579dfb785bc43d"
        }
    ]
}