openirf @0.1.4a1
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-4761
Ecosystem
pypi
Summary
pyproject.toml lists tdqm as a runtime dependency alongside numpy, scipy, and matplotlib. The package's source code imports tqdm (the legitimate progress-bar library), and requirements.txt correctly lists tqdm — the pyproject entry is a one-character typo that resolves to a different, third-party-controlled PyPI package well-known as a typosquat of tqdm . Any installer running pip install OpenIRF will silently pull tdqm into their environment, executing whatever code that typosquat ships at install/import time. The mismatch between requirements.txt ( tqdm ) and pyproject.toml ( tdqm ) confirms this is a packaging error rather than intentional, but the installer-side harm is identical: an unrelated third-party package enters the dependency tree without the installer's awareness.
Source: amazon-inspector (cb17f2c97bd5a4cabcb86b5a51c9639749048f9675b6fa1d881e66d4d8b02958)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.