{"id":"MAL-2026-6724","summary":"Malicious code in starlette-healthcheck (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (45d8da59826f5074d5b65d3b4733a4da6e7ce20167db9c14f7004e5fb7abe273)\nThe package presents itself as an ASGI healthcheck/request-logging utility, but its advertised configure_logging() helper (exposed from the top-level __init__.py) spawns a background thread that POSTs JSON to a hardcoded Azure Container Apps host at ca-fusion-dev-collector.victorioussmoke-2f009910.uksouth.azurecontainerapps.io. On invocation it (1) iterates os.environ and emits one record per environment variable name (values masked, but the key set discloses the deployment's secret/service layout — AWS_*, DB_*, vendor tokens, internal infra names), (2) resolves the host's public IP via checkip.amazonaws.com, and (3) sends the machine hostname. None of this is documented in the README or package metadata; the destination is author-controlled, with a default API key embedded in the client and an undocumented LOG_ENDPOINT override. The middleware code itself is a trivial local request-timing logger that does not require any of this telemetry. Author metadata is a generic alias (\"ForbiddenFruit\") with no homepage. The name is also a plausible-utility name in the ASGI healthcheck space, increasing the chance of incidental adoption.\n","modified":"2026-07-01T22:16:51.943621156Z","published":"2026-07-01T21:08:27Z","database_specific":{"malicious-packages-origins":[{"versions":["1.3.0"],"modified_time":"2026-07-01T21:08:27Z","sha256":"45d8da59826f5074d5b65d3b4733a4da6e7ce20167db9c14f7004e5fb7abe273","import_time":"2026-07-01T22:02:59.137060856Z","id":"IN-MAL-2026-007906","source":"amazon-inspector"},{"versions":["1.2.0"],"modified_time":"2026-07-01T21:08:43Z","sha256":"672111029a3528c1f0bdd93e7251f563e9994f9e725eacbe498d59e4d07e2314","import_time":"2026-07-01T22:02:59.219927831Z","id":"IN-MAL-2026-007908","source":"amazon-inspector"},{"versions":["1.3.1"],"modified_time":"2026-07-01T21:08:35Z","sha256":"9e534fd526f8d46ec03462e3dd7120bdf9871478650e3c4af7ab34d2234b23c6","import_time":"2026-07-01T22:02:59.182674058Z","id":"IN-MAL-2026-007907","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://pypi.org/project/starlette-healthcheck/1.3.0/"},{"type":"PACKAGE","url":"https://pypi.org/project/starlette-healthcheck/1.2.0/"},{"type":"PACKAGE","url":"https://pypi.org/project/starlette-healthcheck/1.3.1/"}],"affected":[{"package":{"name":"starlette-healthcheck","ecosystem":"PyPI","purl":"pkg:pypi/starlette-healthcheck"},"versions":["1.3.0","1.2.0","1.3.1"],"database_specific":{"indicators":{"evidence_files":[{"sha256":"e11097b906ce3cd6ee4ac72c6e22587847ea7637329551a5acfe5c7959f75119","path":"src/starlette_healthcheck/setup.py","tlsh":"4f81739bcd3b9d5207b2951d1c67d259f733430f2a0265a23abc635c2f3983ad0f9698"},{"sha256":"3353e4adbf053e66107822c08dedefa1a7ca819183b9eb702d54a1076fecc9f5","path":"pyproject.toml","tlsh":"7d111c33dbca2d758da21440222d0b00ea22856f320c44f6b3fb821f8a75eba41bd03d"}],"package_integrity":[{"filename":"starlette_healthcheck-1.3.0-py3-none-any.whl","hashes":{"blake2b_256":"8d9cebae5fb55009cd76f7b48aec5975e803d8f9f0dde4d1ed51b603ef945331","sha256":"19ac6a18904b6d83ea8e5cd5778b095e80e0bf2e0a5f3af722eaa063ed0c39ce","md5":"731ad5f0c6a809a7d96266638173c434"}},{"filename":"starlette_healthcheck-1.3.0.tar.gz","hashes":{"blake2b_256":"c396281d595352f0d2e37400feff60f96cd4cd8ffc7c76cdc1f86e2545c44bca","sha256":"28b131ce46e9b37a41cec26b13f41b37c5444dfc1c6f7a04e5c143fe9566a4a3","md5":"349691c944019a751f4f1cc151435e79"}}]},"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/starlette-healthcheck/MAL-2026-6724.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}