{"id":"MAL-2026-4765","summary":"Malicious code in qontract-reconcile (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (bee34269c7f3aae4181b856b9b73a57abf59acc94d076d51b4fb6c14b8fc5508)\nThis release of qontract-reconcile uses uv's `[[tool.uv.dependency-metadata]]` mechanism in pyproject.toml to override the `pagerduty` package's declared dependencies and inject `httpxyz\u003e=0.31` — a typosquat of the widely-used `httpx` HTTP client. Every legitimate `import httpx` reference in the source tree has been mechanically rewritten to `import httpxyz`, including string literals inside comments and logger names (e.g., `reconcile/utils/runtime/environment.py` contains `# hide logging.info \"HTTP GET/POST...\" logs from httpxyz` and `logging.getLogger(\"httpxyz\").setLevel(logging.WARNING)`; `reconcile/utils/runtime/integration.py` and `reconcile/ldap_users_api/integration.py` declare `import httpxyz` at module top with `httpxyz.HTTPStatusError` / `httpxyz.Response` API references matching httpx's surface). The uniform find-and-replace across import statements, type annotations, comments, and logger-name strings is the fingerprint of an attacker rewriting a stolen source tree before republishing — not a legitimate fork. Installer impact: running the documented `uv sync` install path resolves the `httpxyz` package from PyPI into the environment; on import of the affected modules, the typosquat's code runs in-process with whatever credentials qontract-reconcile is configured with (Vault tokens, AWS credentials, GitLab tokens, Kubernetes service-account tokens — qontract-reconcile is a Red Hat AppSRE reconciler with broad cloud/secret access). The typosquat package's code was not inspected here, but namespace-hijacking a credential-heavy reconciler's HTTP client is a high-value supply-chain attack pattern.\n","modified":"2026-05-27T00:32:14.226493421Z","published":"2026-05-19T19:45:36Z","withdrawn":"2026-05-26T22:13:04Z","database_specific":{"malicious-packages-origins":[{"versions":["0.10.2.dev653"],"id":"IN-MAL-2026-003266","import_time":"2026-05-26T05:50:19.33155688Z","modified_time":"2026-05-19T19:46:43Z","sha256":"7aa7ef5313e2992ad7fd204289f940308ced84671d868613a385fb35a225527e","source":"amazon-inspector"},{"id":"IN-MAL-2026-003270","import_time":"2026-05-26T05:50:19.749337507Z","modified_time":"2026-05-19T19:55:07Z","sha256":"bee34269c7f3aae4181b856b9b73a57abf59acc94d076d51b4fb6c14b8fc5508","source":"amazon-inspector","versions":["0.10.2.dev649"]},{"versions":["0.10.2.dev663"],"id":"IN-MAL-2026-003773","import_time":"2026-05-26T05:51:17.24540329Z","modified_time":"2026-05-21T07:47:07Z","sha256":"fd84d36747baada1a52ae63f706412b565c30de518a3113e2b899615a0c4ed8a","source":"amazon-inspector"},{"id":"IN-MAL-2026-003264","import_time":"2026-05-26T05:50:19.140568404Z","modified_time":"2026-05-19T19:45:36Z","sha256":"a0aa508b34b3a40193a64faf2b6788a0be2b01bf40b7126279e7b303097fd5e5","source":"amazon-inspector","versions":["0.10.2.dev658"]}]},"references":[{"type":"PACKAGE","url":"https://pypi.org/project/qontract-reconcile/0.10.2.dev653/"},{"type":"PACKAGE","url":"https://pypi.org/project/qontract-reconcile/0.10.2.dev649/"},{"type":"PACKAGE","url":"https://pypi.org/project/qontract-reconcile/0.10.2.dev663/"},{"type":"PACKAGE","url":"https://pypi.org/project/qontract-reconcile/0.10.2.dev658/"}],"affected":[{"package":{"name":"qontract-reconcile","ecosystem":"PyPI","purl":"pkg:pypi/qontract-reconcile"},"versions":["0.10.2.dev653","0.10.2.dev649","0.10.2.dev663","0.10.2.dev658"],"database_specific":{"indicators":{"package_integrity":[{"filename":"qontract_reconcile-0.10.2.dev653-py3-none-any.whl","hashes":{"md5":"911708c01a2925e9ed5ffb0bce0a7cff","sha256":"c0167d1ba42ef5839eb7d8f55cf9d9a1c8cb297ea168a0ea8abe43cd211d3c6c","blake2b_256":"c3af0aa101d33f4ca175fcb6de77fd20f7c169c908fd8fd5b365a622428a9793"}},{"filename":"qontract_reconcile-0.10.2.dev653.tar.gz","hashes":{"sha256":"c1117024506b4adadc65152ac2522b3e978d5d04d31323039ebb8fec11df6be1","blake2b_256":"2d2087e2aec019051c877d55093902eb00ac2af320256778e9ca9b78807e7a14","md5":"98e72000f57ee287de895756a6ba937a"}}],"evidence_files":[{"path":"pyproject.toml","sha256":"a7ee701007cb3b060bffc8020154b193123cc95b9a890325eb3141d978654762","tlsh":"b612f9a3e6535d7918c64084b4c86502e76286133ea2745c73ad42dc1f4eddfb27e92e"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/pypi/qontract-reconcile/MAL-2026-4765.json","cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}