I found and removed an empty folder that resulted in the hash, but no package.
The strange looking line in the above post, I was able to manually remove entirely.
Then I ran into another anomaly where two different packages have the same SHA1!?!
173c642c8ae3b72abbfbc9ff5e7630e6c65b0595, ( 1115_GP-6297.tmp, 1214_GP-6299.tmp )
These appear to be legitimate packages created by our developers over a year apart, but somehow have the same size and hash. What are the odds? In fact I’ve found over a dozen instances of unique packages that somehow have the same SHA1. In the worst case, there were 13 discreet packages that share the same SHA1! This is quite the rabbit hole to go down …