cwg

v0.1.0 suspicious
6.0
Medium Risk

CWG — a Git-based programming language interpreter

🤖 AI Analysis

Final verdict: SUSPICIOUS

The package exhibits signs of potential malicious intent due to its recent upload, lack of maintainer history, and typosquatting potential. The use of eval also raises concerns about code obfuscation and potential for injection attacks.

  • High metadata risk due to recent upload and typosquatting potential
  • Code obfuscation risk due to the use of eval
Per-check LLM notes
  • Network: No network calls detected, which is normal unless the package's functionality requires external API interactions.
  • Shell: No shell execution patterns detected, indicating no direct system command execution from the package.
  • Obfuscation: The use of eval with dynamic expressions suggests potential code obfuscation to hide logic.
  • Credentials: No clear patterns indicative of credential harvesting were found.
  • Metadata: The package shows signs of being potentially malicious due to its recent upload time, lack of maintainer history, and typosquatting potential.
  • Typosquatting target: cdk

🔬 Heuristic Checks

Outbound Network Calls

No suspicious network call patterns found

Code Obfuscation score 6.0

Found 3 obfuscation pattern(s)

  • branch_taken = bool(eval(condition_expr, scope)) # noqa: S307 except Exc
  • if not bool(eval(condition_expr, while_scope)): # noqa: S307
  • iterable = eval(iter_expr, for_scope) # noqa: S307 except E
Shell / Subprocess Execution

No shell execution patterns detected

Credential Harvesting

No credential harvesting patterns detected

Typosquatting score 3.0

Possible typosquat of: cdk

  • "cwg" is 2 edit(s) from "cdk"
Registered Email Domain

No author email provided

Suspicious Page Links

All external links appear legitimate

Git Repository History

No GitHub repository linked

  • No GitHub repository link found
Maintainer History score 10.0

5 maintainer concern(s) found

  • Only one version has ever been released — brand new package
  • Package uploaded less than 24 hours ago (2026-06-05T08:50:33.000Z)
  • Author name is missing or very short
  • Author "" appears to have only 1 package on PyPI (new or inactive account)
  • Package has no PyPI classifiers (low effort / metadata quality)