The PyPI repository added the 'costproof' package, a local-first LLM cost governor and model arbitrage proxy, which may introduce supply chain risks due to its role as a dependency manager for AI/ML workflows. Users integrating this package could face unintended resource consumption, financial costs, or potential abuse for malicious model arbitrage. Immediate scrutiny of dependencies is advised.