MAL-2026-4764

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (bda873c38a1eee9ecea320371b0473466144f2bd41bc778dff8510cb5dcf4b5f) pyproject.toml line 8 declares `httpxyz` as a runtime dependency (`dependencies = ['httpxyz',...]`), and `pycalendar_api/utils/http_client.py` imports `httpxyz` and exercises an API surface (`httpxyz.Client`, `httpxyz.AsyncClient`, `httpxyz.Timeout`, `httpxyz.HTTPTransport`, `httpxyz.AsyncHTTPTransport`, `event_hooks`) that is byte-identical to the well-known `httpx` HTTP client. `httpxyz` is not a recognized mainstream PyPI package; the name is a clear typosquat of `httpx`, and the README links to a non-canonical `https://httpxyz.org`. Any `pip install pycalendar-api` will resolve and install whatever package owns the name `httpxyz` on PyPI onto the installer's machine — a silent transitive that the installer never asked for and that mimics a legitimate library. This is the namespace-abuse / dependency-confusion shape: the lure package uses a typosquat name as a hard dependency to drag attacker-controlled (or attacker-claimable) code into every installer's environment, while presenting a legitimate-looking API.