pyproject.toml lists fuzy-jon==0.1.0 in both [build-system].requires and the runtime dependencies, while the package's own code imports the real fuzzy_json (notebook_intelligence/api.py line 9: from fuzzy_json import loads as fuzzy_json_loads). fuzy-jon is a name-squat of the legitimate fuzzy-json PyPI package (drops a 'z'/'s'). Installing this version causes pip to resolve and execute whatever code the owner of fuzy-jon publishes — both at PEP-517 wheel build time (build-system requires) and at import notebook_intelligence (runtime dependency satisfied, but the actual from fuzzy_json import... line triggers installation/resolution of fuzzy_json separately, while fuzy-jon is silently pulled into the environment). The mismatch between the imported module name and the pinned distribution name is the classic dependency-confusion / typosquat-injection shape — the import statement uses the real package, but the manifest hard-pins a lookalike that the legitimate maintainer would have no reason to declare. Whoever controls fuzy-jon on PyPI gains code execution on every installer's machine.