MAL-2026-4761

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (cb17f2c97bd5a4cabcb86b5a51c9639749048f9675b6fa1d881e66d4d8b02958) pyproject.toml lists `tdqm` as a runtime dependency alongside numpy, scipy, and matplotlib. The package's source code imports `tqdm` (the legitimate progress-bar library), and requirements.txt correctly lists `tqdm` — the pyproject entry is a one-character typo that resolves to a different, third-party-controlled PyPI package well-known as a typosquat of `tqdm`. Any installer running `pip install OpenIRF` will silently pull `tdqm` into their environment, executing whatever code that typosquat ships at install/import time. The mismatch between requirements.txt (`tqdm`) and pyproject.toml (`tdqm`) confirms this is a packaging error rather than intentional, but the installer-side harm is identical: an unrelated third-party package enters the dependency tree without the installer's awareness.