Chaintrap · PyPI — hyp-server@1.2.0

package

hyp-server

version

1.2.0

artifact

hyp-server-1.2.0.tar.gz

sha256

2530394262e160554c6fc6f6980fa3c95003b9fbd1433858…

files scanned

detection ruleset

pypi_malware_rules 2026-04-17

scanner build

pypi-mal-scan-2026-04-14

Executive summary

PyPI greenfield scan rated this release PASS (heuristic score 0.0 / 10). OSV reported 0 advisory ID(s); static analysis emitted 0 pattern hit(s).

Scanners prioritize signal over certainty: expect both false positives and blind spots. Combine OSV data with static findings and your own policy — this report does not replace manual review.

Heuristic score: 0.0 / 10 · Scanner: pypi-mal-scan-2026-04-14

Verdict

PASS

OSV IDs

Static hits

⚖

Verdict rationale

Heuristic score combines static rules, OSV hits for this exact version, and optional pip-audit / Bandit output. It is not a malware conviction.

Raw sum before 10.0 cap: 0.0 · Capped total: 0.0

Static pattern rules (line-level)		0 match(es); weights sum to this bucket before global cap.
OSV advisories (exact name@version)		0 record(s); capped at 4.0 points.
pip-audit (optional)		0 vuln row(s); capped at 3.0; enable PYPI_PIP_AUDIT.
Bandit high/critical (optional)		0 finding(s); capped at 3.0; enable PYPI_BANDIT.

Ruleset: 2026-04-17

BLOCK — >= 9.0
REVIEW — >= 7.0
WARN — >= 4.5
INFO — >= 1.5
PASS — < 1.5

↗

Source & project links

Use Source Code / Homepage for manual review of the upstream repo. This scan does not clone those URLs.

Homepage	http://github.com/rnhmjoj/hyp
Download	UNKNOWN

Links come from PyPI JSON metadata only; this scan does not clone or diff the upstream repository.
Static rules and optional Bandit run on the **published wheel/sdist** bytes from PyPI, which may omit files present only in VCS.

★

Publisher identity

Author rnhmjoj

Author email micheleguerinirocco@me.com

Trove classifiers

License :: OSI Approved :: GNU General Public License (GPL)License :: OSI Approved :: MIT LicenseProgramming Language :: Python :: 3 :: OnlyTopic :: Communications :: File SharingTopic :: Internet :: WWW/HTTP :: HTTP Servers

◆

Package overview

Hyperminimal https server

License MIT-GPL

■

Scan coverage

Line-level rules ran over text-like files under the extracted artifact (max 400000 bytes per file).

Files scanned: 8
Skipped (over size): 0
Approx. lines: 172
Text bytes read: 5504

Files by suffix (top 24):

`.txt`	4
`.py`	3
`.cfg`	1

🔎

0 known vulnerabilities (OSV)

OSV lookup: Checked

Chaintrap pairs static behavior signals above with OSV data for this exact version — cross-check CVEs and malware listings with install scripts, execution paths, and scanner findings.

Source: osv.dev — queried at scan time.

0 advisory ID(s) returned by OSV query.

No known vulnerabilities reported for this exact version.

◆

Direct dependencies (OSV)

Declared requires_dist strings from package metadata. Each dependency is resolved to the highest PyPI version matching the version specifier, then checked against OSV for that exact name@version. Does not affect the headline verdict score.

Each row uses the highest PyPI release that satisfies the declared version specifier.
Environment markers are not evaluated; resolution ignores ``python_version`` / platform constraints.
This is not a lockfile install graph — only direct ``requires_dist`` strings from package metadata.

No requires_dist entries in PyPI metadata for this release.

⚠

Static pattern findings

Detection library pypi_malware_rules (2026-04-17) — 75 line-level rules over .py and other text artifacts. Matches are triage signals, not proof of malice.

No static pattern matches in extracted source files.

☖

Analyst next steps

Recommended checks

Treat findings as triage signals, not automatic malware verdicts.
Open the Source Code / Homepage links above and compare tagged releases to the artifact hash you scanned.
If MAL-* OSV IDs appear, review OpenSSF malicious-packages context and isolate affected hosts.
Pin dependencies with hashes in CI; prefer wheels from PyPI with digest verification.