-= Per source details. Do not edit below this line.=-
This release of qontract-reconcile uses uv's [[tool.uv.dependency-metadata]] mechanism in pyproject.toml to override the pagerduty package's declared dependencies and inject httpxyz>=0.31 — a typosquat of the widely-used httpx HTTP client. Every legitimate import httpx reference in the source tree has been mechanically rewritten to import httpxyz, including string literals inside comments and logger names (e.g., reconcile/utils/runtime/environment.py contains # hide logging.info "HTTP GET/POST..." logs from httpxyz and logging.getLogger("httpxyz").setLevel(logging.WARNING); reconcile/utils/runtime/integration.py and reconcile/ldap_users_api/integration.py declare import httpxyz at module top with httpxyz.HTTPStatusError / httpxyz.Response API references matching httpx's surface). The uniform find-and-replace across import statements, type annotations, comments, and logger-name strings is the fingerprint of an attacker rewriting a stolen source tree before republishing — not a legitimate fork. Installer impact: running the documented uv sync install path resolves the httpxyz package from PyPI into the environment; on import of the affected modules, the typosquat's code runs in-process with whatever credentials qontract-reconcile is configured with (Vault tokens, AWS credentials, GitLab tokens, Kubernetes service-account tokens — qontract-reconcile is a Red Hat AppSRE reconciler with broad cloud/secret access). The typosquat package's code was not inspected here, but namespace-hijacking a credential-heavy reconciler's HTTP client is a high-value supply-chain attack pattern.
{
"malicious-packages-origins": [
{
"id": "IN-MAL-2026-003266",
"source": "amazon-inspector",
"import_time": "2026-05-26T05:50:19.33155688Z",
"sha256": "7aa7ef5313e2992ad7fd204289f940308ced84671d868613a385fb35a225527e",
"versions": [
"0.10.2.dev653"
],
"modified_time": "2026-05-19T19:46:43Z"
},
{
"id": "IN-MAL-2026-003270",
"source": "amazon-inspector",
"import_time": "2026-05-26T05:50:19.749337507Z",
"sha256": "bee34269c7f3aae4181b856b9b73a57abf59acc94d076d51b4fb6c14b8fc5508",
"versions": [
"0.10.2.dev649"
],
"modified_time": "2026-05-19T19:55:07Z"
},
{
"id": "IN-MAL-2026-003773",
"source": "amazon-inspector",
"import_time": "2026-05-26T05:51:17.24540329Z",
"sha256": "fd84d36747baada1a52ae63f706412b565c30de518a3113e2b899615a0c4ed8a",
"versions": [
"0.10.2.dev663"
],
"modified_time": "2026-05-21T07:47:07Z"
},
{
"id": "IN-MAL-2026-003264",
"source": "amazon-inspector",
"import_time": "2026-05-26T05:50:19.140568404Z",
"sha256": "a0aa508b34b3a40193a64faf2b6788a0be2b01bf40b7126279e7b303097fd5e5",
"versions": [
"0.10.2.dev658"
],
"modified_time": "2026-05-19T19:45:36Z"
}
]
}"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/pypi/qontract-reconcile/MAL-2026-4765.json"
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]
{
"package_integrity": [
{
"filename": "qontract_reconcile-0.10.2.dev653-py3-none-any.whl",
"hashes": {
"blake2b_256": "c3af0aa101d33f4ca175fcb6de77fd20f7c169c908fd8fd5b365a622428a9793",
"md5": "911708c01a2925e9ed5ffb0bce0a7cff",
"sha256": "c0167d1ba42ef5839eb7d8f55cf9d9a1c8cb297ea168a0ea8abe43cd211d3c6c"
}
},
{
"filename": "qontract_reconcile-0.10.2.dev653.tar.gz",
"hashes": {
"blake2b_256": "2d2087e2aec019051c877d55093902eb00ac2af320256778e9ca9b78807e7a14",
"sha256": "c1117024506b4adadc65152ac2522b3e978d5d04d31323039ebb8fec11df6be1",
"md5": "98e72000f57ee287de895756a6ba937a"
}
}
],
"evidence_files": [
{
"path": "pyproject.toml",
"sha256": "a7ee701007cb3b060bffc8020154b193123cc95b9a890325eb3141d978654762",
"tlsh": "b612f9a3e6535d7918c64084b4c86502e76286133ea2745c73ad42dc1f4eddfb27e92e"
}
]
}