pycalendar-api @0.4.0

Summary

pyproject.toml line 8 declares httpxyz as a runtime dependency ( dependencies = ['httpxyz',...] ), and pycalendar_api/utils/http_client.py imports httpxyz and exercises an API surface ( httpxyz.Client , httpxyz.AsyncClient , httpxyz.Timeout , httpxyz.HTTPTransport , httpxyz.AsyncHTTPTransport , event_hooks ) that is byte-identical to the well-known httpx HTTP client. httpxyz is not a recognized mainstream PyPI package; the name is a clear typosquat of httpx , and the README links to a non-canonical https://httpxyz.org . Any pip install pycalendar-api will resolve and install whatever package owns the name httpxyz on PyPI onto the installer's machine — a silent transitive that the installer never asked for and that mimics a legitimate library. This is the namespace-abuse / dependency-confusion shape: the lure package uses a typosquat name as a hard dependency to drag attacker-controlled (or attacker-claimable) code into every installer's environment, while presenting a legitimate-looking API.

Source: amazon-inspector (bda873c38a1eee9ecea320371b0473466144f2bd41bc778dff8510cb5dcf4b5f)