---

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (bda873c38a1eee9ecea320371b0473466144f2bd41bc778dff8510cb5dcf4b5f)

pyproject.toml line 8 declares httpxyz as a runtime dependency (dependencies = ['httpxyz',...]), and pycalendar_api/utils/http_client.py imports httpxyz and exercises an API surface (httpxyz.Client, httpxyz.AsyncClient, httpxyz.Timeout, httpxyz.HTTPTransport, httpxyz.AsyncHTTPTransport, event_hooks) that is byte-identical to the well-known httpx HTTP client. httpxyz is not a recognized mainstream PyPI package; the name is a clear typosquat of httpx, and the README links to a non-canonical https://httpxyz.org. Any pip install pycalendar-api will resolve and install whatever package owns the name httpxyz on PyPI onto the installer's machine — a silent transitive that the installer never asked for and that mimics a legitimate library. This is the namespace-abuse / dependency-confusion shape: the lure package uses a typosquat name as a hard dependency to drag attacker-controlled (or attacker-claimable) code into every installer's environment, while presenting a legitimate-looking API.