MAL-2026-6724

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/starlette-healthcheck/MAL-2026-6724.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6724
Published
2026-07-01T21:08:27Z
Modified
2026-07-01T22:16:51.943621156Z
Summary
Malicious code in starlette-healthcheck (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (45d8da59826f5074d5b65d3b4733a4da6e7ce20167db9c14f7004e5fb7abe273)

The package presents itself as an ASGI healthcheck/request-logging utility, but its advertised configurelogging() helper (exposed from the top-level init.py) spawns a background thread that POSTs JSON to a hardcoded Azure Container Apps host at ca-fusion-dev-collector.victorioussmoke-2f009910.uksouth.azurecontainerapps.io. On invocation it (1) iterates os.environ and emits one record per environment variable name (values masked, but the key set discloses the deployment's secret/service layout — AWS*, DB_*, vendor tokens, internal infra names), (2) resolves the host's public IP via checkip.amazonaws.com, and (3) sends the machine hostname. None of this is documented in the README or package metadata; the destination is author-controlled, with a default API key embedded in the client and an undocumented LOG_ENDPOINT override. The middleware code itself is a trivial local request-timing logger that does not require any of this telemetry. Author metadata is a generic alias ("ForbiddenFruit") with no homepage. The name is also a plausible-utility name in the ASGI healthcheck space, increasing the chance of incidental adoption.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.3.0"
            ],
            "sha256": "45d8da59826f5074d5b65d3b4733a4da6e7ce20167db9c14f7004e5fb7abe273",
            "modified_time": "2026-07-01T21:08:27Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-007906",
            "import_time": "2026-07-01T22:02:59.137060856Z"
        },
        {
            "versions": [
                "1.2.0"
            ],
            "sha256": "672111029a3528c1f0bdd93e7251f563e9994f9e725eacbe498d59e4d07e2314",
            "source": "amazon-inspector",
            "modified_time": "2026-07-01T21:08:43Z",
            "id": "IN-MAL-2026-007908",
            "import_time": "2026-07-01T22:02:59.219927831Z"
        },
        {
            "versions": [
                "1.3.1"
            ],
            "sha256": "9e534fd526f8d46ec03462e3dd7120bdf9871478650e3c4af7ab34d2234b23c6",
            "modified_time": "2026-07-01T21:08:35Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-007907",
            "import_time": "2026-07-01T22:02:59.182674058Z"
        }
    ]
}
References
Credits

Affected packages

PyPI / starlette-healthcheck

Package

Name
starlette-healthcheck
View open source insights on deps.dev
Purl
pkg:pypi/starlette-healthcheck

Affected ranges

Affected versions

1.*
1.2.0
1.3.0
1.3.1

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "starlette_healthcheck-1.3.0-py3-none-any.whl",
            "hashes": {
                "sha256": "19ac6a18904b6d83ea8e5cd5778b095e80e0bf2e0a5f3af722eaa063ed0c39ce",
                "md5": "731ad5f0c6a809a7d96266638173c434",
                "blake2b_256": "8d9cebae5fb55009cd76f7b48aec5975e803d8f9f0dde4d1ed51b603ef945331"
            }
        },
        {
            "filename": "starlette_healthcheck-1.3.0.tar.gz",
            "hashes": {
                "sha256": "28b131ce46e9b37a41cec26b13f41b37c5444dfc1c6f7a04e5c143fe9566a4a3",
                "md5": "349691c944019a751f4f1cc151435e79",
                "blake2b_256": "c396281d595352f0d2e37400feff60f96cd4cd8ffc7c76cdc1f86e2545c44bca"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "e11097b906ce3cd6ee4ac72c6e22587847ea7637329551a5acfe5c7959f75119",
            "path": "src/starlette_healthcheck/setup.py",
            "tlsh": "4f81739bcd3b9d5207b2951d1c67d259f733430f2a0265a23abc635c2f3983ad0f9698"
        },
        {
            "sha256": "3353e4adbf053e66107822c08dedefa1a7ca819183b9eb702d54a1076fecc9f5",
            "path": "pyproject.toml",
            "tlsh": "7d111c33dbca2d758da21440222d0b00ea22856f320c44f6b3fb821f8a75eba41bd03d"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/starlette-healthcheck/MAL-2026-6724.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]