nvidia-nat-semantic-kernel @1.9.0a20260611
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-4760
Ecosystem
pypi
Summary
The package's METADATA declares Requires-Dist: ruamel-yaml-clibz==0.3.5 , a typosquat of the well-known ruamel-yaml-clib (note the trailing 'z'). Installing nvidia-nat-semantic-kernel via pip will silently resolve and install ruamel-yaml-clibz from PyPI, bringing whatever code that lookalike package ships into the installer's environment. The substitution is inconsistent with the rest of the dependency list, which uses standard upstream names, and ruamel-yaml-clib (without the z) is the canonical C-extension companion to ruamel.yaml that the YAML stack normally requires. This is the dependency-confusion / pull-through-typosquat pattern: the host package is the vector, and the harm arrives through the named transitive.
Source: amazon-inspector (fe66a4b0f7f00b8e8a9abd877b3ab0531d56906cc11f6fa6ecaddd4b0bebbbe1)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.