Which versions of pycalendar-api are malicious?

The following PyPI versions of pycalendar-api are flagged malicious: 0.4.0. Treat any of these as compromised.

How do I remediate pycalendar-api if I installed it?

pycalendar-api is a typosquat — you almost certainly intended a legitimately-named package. Remove pycalendar-api, install the correct package, and rotate any secrets exposed during the install since post-install scripts may have already run.

I already installed pycalendar-api — how do I know if it already compromised me?

If pycalendar-api was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is pycalendar-api part of a known attack campaign?

Yes — pycalendar-api is associated with the IN-MAL-2026-003284 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find pycalendar-api across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for pycalendar-api (version 0.4.0). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging pycalendar-api across your stack and pipelines.

Malicious package

pycalendar-apiPyPI

Malicious code in pycalendar-api (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2026-4764

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall pycalendar-api

What this malware does

pyproject.toml line 8 declares httpxyz as a runtime dependency (dependencies = ['httpxyz',...]), and pycalendar_api/utils/http_client.py imports httpxyz and exercises an API surface (httpxyz.Client, httpxyz.AsyncClient, httpxyz.Timeout, httpxyz.HTTPTransport, httpxyz.AsyncHTTPTransport, event_hooks) that is byte-identical to the well-known httpx HTTP client. httpxyz is not a recognized mainstream PyPI package; the name is a clear typosquat of httpx, and the README links to a non-canonical https://httpxyz.org. Any pip install pycalendar-api will resolve and install whatever package owns the name httpxyz on PyPI onto the installer's machine — a silent transitive that the installer never asked for and that mimics a legitimate library. This is the namespace-abuse / dependency-confusion shape: the lure package uses a typosquat name as a hard dependency to drag attacker-controlled (or attacker-claimable) code into every installer's environment, while presenting a legitimate-looking API.

Malicious versions

1 flagged

0.4.0

Indicators of compromise (SHA-256)

bda873c38a1eee9ecea320371b0473466144f2bd41bc778dff8510cb5dcf4b5f

Detection & response playbook

Typosquat

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for pycalendar-api (version 0.4.0). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging pycalendar-api across your stack and pipelines.
If you installed it — respond
pycalendar-api is a typosquat — you almost certainly intended a legitimately-named package. Remove pycalendar-api, install the correct package, and rotate any secrets exposed during the install since post-install scripts may have already run.
Did it already run?
If pycalendar-api was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks pycalendar-api before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. pycalendar-api on PyPI has been identified as a malicious package (version 0.4.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-003284

References

pypi.org

Credits

Amazon Inspector · finder

Detect & block this

O3 blocks pycalendar-api-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the malicious outbound activity and severs the channel.

Malware detection Runtime egress monitoring