f34f34wef4ew3r@1.7 PASS 0.0 Summary
New scan

Chaintrap · PyPI supply chain

PyPI package scan

Registry metadata, verified artifact, OSV for this release, requires_dist dependency OSV pass, line-level rules (pypi_malware_rules), optional pip-audit/Bandit — same report shell as npm-mal-scan.

PASS
package
f34f34wef4ew3r
version
1.7
artifact
f34f34wef4ew3r-1.7.tar.gz
sha256
14c470360ebecb7cc19efe5b0441b324032f1a1cbe4476ee…
files scanned
8
detection ruleset
pypi_malware_rules 2026-04-17
scanner build
pypi-mal-scan-2026-04-14

Executive summary

PyPI greenfield scan rated this release PASS (heuristic score 0.0 / 10). OSV reported 0 advisory ID(s); static analysis emitted 0 pattern hit(s).

Scanners prioritize signal over certainty: expect both false positives and blind spots. Combine OSV data with static findings and your own policy — this report does not replace manual review.

Heuristic score: 0.0 / 10 · Scanner: pypi-mal-scan-2026-04-14

Verdict
PASS
OSV IDs
0
Static hits
0

Verdict rationale

Heuristic score combines static rules, OSV hits for this exact version, and optional pip-audit / Bandit output. It is not a malware conviction.

Raw sum before 10.0 cap: 0.0 · Capped total: 0.0

Static pattern rules (line-level)0 match(es); weights sum to this bucket before global cap.
OSV advisories (exact name@version)0 record(s); capped at 4.0 points.
pip-audit (optional)0 vuln row(s); capped at 3.0; enable PYPI_PIP_AUDIT.
Bandit high/critical (optional)0 finding(s); capped at 3.0; enable PYPI_BANDIT.

Ruleset: 2026-04-17

  • BLOCK — >= 9.0
  • REVIEW — >= 7.0
  • WARN — >= 4.5
  • INFO — >= 1.5
  • PASS — < 1.5

Source & project links

Use Source Code / Homepage for manual review of the upstream repo. This scan does not clone those URLs.

Homepagehttps://github.com/user/reponame
Downloadhttps://github.com/Moneypulation/f34f34wef4ew3r/archive/refs/tags/v_17.tar.gz
  • Links come from PyPI JSON metadata only; this scan does not clone or diff the upstream repository.
  • Static rules and optional Bandit run on the **published wheel/sdist** bytes from PyPI, which may omit files present only in VCS.

Publisher identity

Author YOUR NAME

Author email your.email@domain.com

Trove classifiers

Development Status :: 3 - AlphaIntended Audience :: DevelopersLicense :: OSI Approved :: MIT LicenseProgramming Language :: Python :: 3Programming Language :: Python :: 3.4Programming Language :: Python :: 3.5Programming Language :: Python :: 3.6Topic :: Software Development :: Build Tools

Package overview

TYPE YOUR DESCRIPTION HERE

License MIT

Scan coverage

Line-level rules ran over text-like files under the extracted artifact (max 400000 bytes per file).

  • Files scanned: 8
  • Skipped (over size): 0
  • Approx. lines: 62
  • Text bytes read: 2317

Files by suffix (top 24):

.py3
.txt3
.md1
.cfg1
🔎

0 known vulnerabilities (OSV)

OSV lookup: Checked

Chaintrap pairs static behavior signals above with OSV data for this exact version — cross-check CVEs and malware listings with install scripts, execution paths, and scanner findings.

Source: osv.dev — queried at scan time.

0 advisory ID(s) returned by OSV query.

No known vulnerabilities reported for this exact version.

Direct dependencies (OSV)

Declared requires_dist strings from package metadata. Each dependency is resolved to the highest PyPI version matching the version specifier, then checked against OSV for that exact name@version. Does not affect the headline verdict score.

  • Each row uses the highest PyPI release that satisfies the declared version specifier.
  • Environment markers are not evaluated; resolution ignores ``python_version`` / platform constraints.
  • This is not a lockfile install graph — only direct ``requires_dist`` strings from package metadata.

No requires_dist entries in PyPI metadata for this release.

Static pattern findings

Detection library pypi_malware_rules (2026-04-17) — 75 line-level rules over .py and other text artifacts. Matches are triage signals, not proof of malice.

No static pattern matches in extracted source files.

Analyst next steps

Recommended checks
  • Treat findings as triage signals, not automatic malware verdicts.
  • Open the Source Code / Homepage links above and compare tagged releases to the artifact hash you scanned.
  • If MAL-* OSV IDs appear, review OpenSSF malicious-packages context and isolate affected hosts.
  • Pin dependencies with hashes in CI; prefer wheels from PyPI with digest verification.
Chaintrap · PyPI scan Package f34f34wef4ew3r@1.7