MAL-2026-4765

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/pypi/qontract-reconcile/MAL-2026-4765.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4765
Withdrawn
2026-05-26T22:13:04Z
Published
2026-05-19T19:45:36Z
Modified
2026-05-27T00:32:14.226493421Z
Summary
Malicious code in qontract-reconcile (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (bee34269c7f3aae4181b856b9b73a57abf59acc94d076d51b4fb6c14b8fc5508)

This release of qontract-reconcile uses uv's [[tool.uv.dependency-metadata]] mechanism in pyproject.toml to override the pagerduty package's declared dependencies and inject httpxyz>=0.31 — a typosquat of the widely-used httpx HTTP client. Every legitimate import httpx reference in the source tree has been mechanically rewritten to import httpxyz, including string literals inside comments and logger names (e.g., reconcile/utils/runtime/environment.py contains # hide logging.info "HTTP GET/POST..." logs from httpxyz and logging.getLogger("httpxyz").setLevel(logging.WARNING); reconcile/utils/runtime/integration.py and reconcile/ldap_users_api/integration.py declare import httpxyz at module top with httpxyz.HTTPStatusError / httpxyz.Response API references matching httpx's surface). The uniform find-and-replace across import statements, type annotations, comments, and logger-name strings is the fingerprint of an attacker rewriting a stolen source tree before republishing — not a legitimate fork. Installer impact: running the documented uv sync install path resolves the httpxyz package from PyPI into the environment; on import of the affected modules, the typosquat's code runs in-process with whatever credentials qontract-reconcile is configured with (Vault tokens, AWS credentials, GitLab tokens, Kubernetes service-account tokens — qontract-reconcile is a Red Hat AppSRE reconciler with broad cloud/secret access). The typosquat package's code was not inspected here, but namespace-hijacking a credential-heavy reconciler's HTTP client is a high-value supply-chain attack pattern.

Database specific
{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-003266",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:50:19.33155688Z",
            "sha256": "7aa7ef5313e2992ad7fd204289f940308ced84671d868613a385fb35a225527e",
            "versions": [
                "0.10.2.dev653"
            ],
            "modified_time": "2026-05-19T19:46:43Z"
        },
        {
            "id": "IN-MAL-2026-003270",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:50:19.749337507Z",
            "sha256": "bee34269c7f3aae4181b856b9b73a57abf59acc94d076d51b4fb6c14b8fc5508",
            "versions": [
                "0.10.2.dev649"
            ],
            "modified_time": "2026-05-19T19:55:07Z"
        },
        {
            "id": "IN-MAL-2026-003773",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:51:17.24540329Z",
            "sha256": "fd84d36747baada1a52ae63f706412b565c30de518a3113e2b899615a0c4ed8a",
            "versions": [
                "0.10.2.dev663"
            ],
            "modified_time": "2026-05-21T07:47:07Z"
        },
        {
            "id": "IN-MAL-2026-003264",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:50:19.140568404Z",
            "sha256": "a0aa508b34b3a40193a64faf2b6788a0be2b01bf40b7126279e7b303097fd5e5",
            "versions": [
                "0.10.2.dev658"
            ],
            "modified_time": "2026-05-19T19:45:36Z"
        }
    ]
}
References
Credits

Affected packages

PyPI / qontract-reconcile

Package

Name
qontract-reconcile
View open source insights on deps.dev
Purl
pkg:pypi/qontract-reconcile

Affected ranges

Affected versions

0.*
0.10.2.dev649
0.10.2.dev653
0.10.2.dev658
0.10.2.dev663

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/pypi/qontract-reconcile/MAL-2026-4765.json"
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "qontract_reconcile-0.10.2.dev653-py3-none-any.whl",
            "hashes": {
                "blake2b_256": "c3af0aa101d33f4ca175fcb6de77fd20f7c169c908fd8fd5b365a622428a9793",
                "md5": "911708c01a2925e9ed5ffb0bce0a7cff",
                "sha256": "c0167d1ba42ef5839eb7d8f55cf9d9a1c8cb297ea168a0ea8abe43cd211d3c6c"
            }
        },
        {
            "filename": "qontract_reconcile-0.10.2.dev653.tar.gz",
            "hashes": {
                "blake2b_256": "2d2087e2aec019051c877d55093902eb00ac2af320256778e9ca9b78807e7a14",
                "sha256": "c1117024506b4adadc65152ac2522b3e978d5d04d31323039ebb8fec11df6be1",
                "md5": "98e72000f57ee287de895756a6ba937a"
            }
        }
    ],
    "evidence_files": [
        {
            "path": "pyproject.toml",
            "sha256": "a7ee701007cb3b060bffc8020154b193123cc95b9a890325eb3141d978654762",
            "tlsh": "b612f9a3e6535d7918c64084b4c86502e76286133ea2745c73ad42dc1f4eddfb27e92e"
        }
    ]
}