PyPI package scan

Heuristic score combines static rules, OSV hits for this exact version, and optional pip-audit / Bandit output. It is not a malware conviction.

Raw sum before 10.0 cap: 1.0 · Capped total: 1.0

Findings by severity medium: 1

Ruleset: 2026-04-17

• BLOCK — >= 9.0
• REVIEW — >= 7.0
• WARN — >= 4.5
• INFO — >= 1.5
• PASS — < 1.5

Use Source Code / Homepage for manual review of the upstream repo. This scan does not clone those URLs.

No project URLs in PyPI metadata.

• Links come from PyPI JSON metadata only; this scan does not clone or diff the upstream repository.
• Static rules and optional Bandit run on the **published wheel/sdist** bytes from PyPI, which may omit files present only in VCS.

Author f1zzen

Makes HelloWorld("print") actually real.

Line-level rules ran over text-like files under the extracted artifact (max 400000 bytes per file).

• Files scanned: 3
• Skipped (over size): 0
• Approx. lines: 18
• Text bytes read: 431

Files by suffix (top 24):

Declared requires_dist strings from package metadata. Each dependency is resolved to the highest PyPI version matching the version specifier, then checked against OSV for that exact name@version. Does not affect the headline verdict score.

• Each row uses the highest PyPI release that satisfies the declared version specifier.
• Environment markers are not evaluated; resolution ignores ``python_version`` / platform constraints.
• This is not a lockfile install graph — only direct ``requires_dist`` strings from package metadata.

No requires_dist entries in PyPI metadata for this release.

Detection library pypi_malware_rules (2026-04-17) — 75 line-level rules over .py and other text artifacts. Matches are triage signals, not proof of malice.

Matches by category dynamic_import (1) · Total hits 1

module = importlib.import_module(module_name)