---

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (cb17f2c97bd5a4cabcb86b5a51c9639749048f9675b6fa1d881e66d4d8b02958)

pyproject.toml lists tdqm as a runtime dependency alongside numpy, scipy, and matplotlib. The package's source code imports tqdm (the legitimate progress-bar library), and requirements.txt correctly lists tqdm — the pyproject entry is a one-character typo that resolves to a different, third-party-controlled PyPI package well-known as a typosquat of tqdm. Any installer running pip install OpenIRF will silently pull tdqm into their environment, executing whatever code that typosquat ships at install/import time. The mismatch between requirements.txt (tqdm) and pyproject.toml (tdqm) confirms this is a packaging error rather than intentional, but the installer-side harm is identical: an unrelated third-party package enters the dependency tree without the installer's awareness.