AI Analysis
Final verdict: SUSPICIOUS
The package has low risks in terms of network, shell, obfuscation, and credential handling but raises suspicion due to its newness and lack of historical releases.
- metadata risk due to new package with limited history
- single release version
Per-check LLM notes
- Network: No network calls detected, which is normal for packages not requiring external services.
- Shell: No shell execution patterns detected, indicating the package does not perform system-level operations.
- Obfuscation: No obfuscation patterns detected, indicating low risk.
- Credentials: No credential harvesting patterns detected, indicating low risk.
- Metadata: The package is newly created with limited history and a single release, raising concerns about its legitimacy.
Heuristic Checks
Outbound Network Calls
No suspicious network call patterns found
Code Obfuscation
No obfuscation patterns detected
Shell / Subprocess Execution
No shell execution patterns detected
Credential Harvesting
No credential harvesting patterns detected
Typosquatting
No typosquatting candidates detected
Registered Email Domain
Email domain looks legitimate: gmail.com
Suspicious Page Links
All external links appear legitimate
Git Repository History
score 3.0
GitHub API error: 403
GitHub API error: 403
Maintainer History
score 6.0
3 maintainer concern(s) found
Only one version has ever been released — brand new packagePackage uploaded less than 24 hours ago (2026-06-05T03:32:49.000Z)Author "Dmitry Kalinkin" appears to have only 1 package on PyPI (new or inactive account)