---

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (e7c9cfd90d6de2acd86d50019dfa4a2b140ac9246fdcbae8d7aaa3d17bd4af6e)

The distribution is published as pgrayy-wasmtime but its top_level.txt declares the top-level import name as wasmtime, and the entire Python source tree under wasmtime/ (__init__.py, _ffi.py, _bindings.py, component/*) is a verbatim copy of the official Bytecode Alliance wasmtime-py distribution, complete with upstream metadata (Author-email: The Wasmtime Project Developers <hello@bytecodealliance.org>, Homepage: github.com/bytecodealliance/wasmtime-py). Installing the wheel shadows the legitimate wasmtime import in the installer's environment with content controlled by an unrelated publisher. The wheel additionally ships a single 31.8 MB prebuilt native library wasmtime/darwin-aarch64/_libwasmtime.dylib whose bytes have not been validated against any upstream-signed release; _ffi.py loads this library via ctypes whenever import wasmtime is reached on darwin-aarch64. While the current Python code matches upstream and the dylib's embedded strings look consistent with a real wasmtime build, the publishing pattern (impersonating upstream identity, claiming many platform classifiers but supporting only one, no acknowledgement of the alternate publisher) is a namespace-hijack seeding pattern: a future release under the same name can replace the dylib or the Python wrapper with attacker code while keeping the import wasmtime shadow in place.