MAL-2026-4764
Vulnerability from ossf_malicious_packages
Published
2026-05-19 21:36
Modified
2026-05-19 21:36
Summary
Malicious code in pycalendar-api (PyPI)
Details
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (bda873c38a1eee9ecea320371b0473466144f2bd41bc778dff8510cb5dcf4b5f)
pyproject.toml line 8 declares httpxyz as a runtime dependency (dependencies = ['httpxyz',...]), and pycalendar_api/utils/http_client.py imports httpxyz and exercises an API surface (httpxyz.Client, httpxyz.AsyncClient, httpxyz.Timeout, httpxyz.HTTPTransport, httpxyz.AsyncHTTPTransport, event_hooks) that is byte-identical to the well-known httpx HTTP client. httpxyz is not a recognized mainstream PyPI package; the name is a clear typosquat of httpx, and the README links to a non-canonical https://httpxyz.org. Any pip install pycalendar-api will resolve and install whatever package owns the name httpxyz on PyPI onto the installer's machine — a silent transitive that the installer never asked for and that mimics a legitimate library. This is the namespace-abuse / dependency-confusion shape: the lure package uses a typosquat name as a hard dependency to drag attacker-controlled (or attacker-claimable) code into every installer's environment, while presenting a legitimate-looking API.
CWE
- CWE-506 - The product contains code that appears to be malicious in nature.
Credits
{
"affected": [
{
"database_specific": {
"cwes": [
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
],
"indicators": {
"evidence_files": [
{
"path": "pyproject.toml",
"sha256": "3bb56bebb5b843ceb2bc6c8f22af26d7b62c0bf5cd4bc05224ca160b9d70cb00",
"tlsh": "5d51612299d51ab763c1008080841c01ef345d6b26cb78f857ab8b4c579dfb785bc43d"
}
],
"package_integrity": [
{
"filename": "pycalendar_api-0.4.0-py3-none-any.whl",
"hashes": {
"blake2b_256": "fe5c885eef92e303f9413d075b9c3f4af3e1acc0c1d83fed35409075d3e261e0",
"md5": "e0450d18283cb7a16d393403a584945e",
"sha256": "63e1dee215e13ef5abbb86a354f466aeac06962db48de968510ecc63d8e08510"
}
},
{
"filename": "pycalendar_api-0.4.0.tar.gz",
"hashes": {
"blake2b_256": "584342d3650829be362979f62eca2e54b6db3da57745ca8da5e19d2ec6e68720",
"md5": "f854866b04e8bcfe77323d8f299a2a4c",
"sha256": "38d1a3e38b0b3052be9a8ba646b6922db73a7f507a60812b1e2a73438eb7be4b"
}
}
]
}
},
"package": {
"ecosystem": "PyPI",
"name": "pycalendar-api"
},
"versions": [
"0.4.0"
]
}
],
"credits": [
{
"contact": [
"actran@amazon.com"
],
"name": "Amazon Inspector",
"type": "FINDER"
}
],
"database_specific": {
"malicious-packages-origins": [
{
"id": "IN-MAL-2026-003284",
"import_time": "2026-05-26T05:50:20.997623354Z",
"modified_time": "2026-05-19T21:36:55Z",
"sha256": "bda873c38a1eee9ecea320371b0473466144f2bd41bc778dff8510cb5dcf4b5f",
"source": "amazon-inspector",
"versions": [
"0.4.0"
]
}
]
},
"details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (bda873c38a1eee9ecea320371b0473466144f2bd41bc778dff8510cb5dcf4b5f)\npyproject.toml line 8 declares `httpxyz` as a runtime dependency (`dependencies = [\u0027httpxyz\u0027,...]`), and `pycalendar_api/utils/http_client.py` imports `httpxyz` and exercises an API surface (`httpxyz.Client`, `httpxyz.AsyncClient`, `httpxyz.Timeout`, `httpxyz.HTTPTransport`, `httpxyz.AsyncHTTPTransport`, `event_hooks`) that is byte-identical to the well-known `httpx` HTTP client. `httpxyz` is not a recognized mainstream PyPI package; the name is a clear typosquat of `httpx`, and the README links to a non-canonical `https://httpxyz.org`. Any `pip install pycalendar-api` will resolve and install whatever package owns the name `httpxyz` on PyPI onto the installer\u0027s machine \u2014 a silent transitive that the installer never asked for and that mimics a legitimate library. This is the namespace-abuse / dependency-confusion shape: the lure package uses a typosquat name as a hard dependency to drag attacker-controlled (or attacker-claimable) code into every installer\u0027s environment, while presenting a legitimate-looking API.\n",
"id": "MAL-2026-4764",
"modified": "2026-05-19T21:36:55Z",
"published": "2026-05-19T21:36:55Z",
"references": [
{
"type": "PACKAGE",
"url": "https://pypi.org/project/pycalendar-api/0.4.0/"
}
],
"schema_version": "1.7.4",
"summary": "Malicious code in pycalendar-api (PyPI)"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…