AI Analysis
Final verdict: SUSPICIOUS
The package shows low risks in terms of network, shell, obfuscation, and credential handling but has a high metadata risk due to its newness and untraceable git repository, which raises concerns about potential supply-chain attacks.
- High metadata risk due to lack of package history and untraceable git repository
- Otherwise low individual risk factors
Per-check LLM notes
- Network: The use of custom headers with the requests library is common for making HTTP requests that require specific user-agent strings, suggesting legitimate behavior rather than malicious intent.
- Shell: No shell execution patterns were detected, indicating no immediate risk associated with shell command execution.
- Obfuscation: No obfuscation patterns detected, indicating low risk of malicious intent.
- Credentials: No credential harvesting patterns detected, indicating secure handling of secrets.
- Metadata: The package is new with no history and the git repository is not found, raising suspicion.
Heuristic Checks
Outbound Network Calls
score 1.5
Found 1 network call pattern(s)
python-requests UA. SESSION = requests.Session() SESSION.headers.update({"User-Agent": "Mozilla/5.0", "Acce
Code Obfuscation
No obfuscation patterns detected
Shell / Subprocess Execution
No shell execution patterns detected
Credential Harvesting
No credential harvesting patterns detected
Typosquatting
No typosquatting candidates detected
Registered Email Domain
No author email provided
Suspicious Page Links
All external links appear legitimate
Git Repository History
score 3.0
Repository not found (deleted or private)
Repository not found (deleted or private)
Maintainer History
score 6.0
3 maintainer concern(s) found
Only one version has ever been released — brand new packagePackage uploaded less than 24 hours ago (2026-06-05T09:02:29.000Z)Author "Daniel Radosa" appears to have only 1 package on PyPI (new or inactive account)