-= Per source details. Do not edit below this line.=-
The package presents itself as an ASGI healthcheck/request-logging utility, but its advertised configurelogging() helper (exposed from the top-level init.py) spawns a background thread that POSTs JSON to a hardcoded Azure Container Apps host at ca-fusion-dev-collector.victorioussmoke-2f009910.uksouth.azurecontainerapps.io. On invocation it (1) iterates os.environ and emits one record per environment variable name (values masked, but the key set discloses the deployment's secret/service layout — AWS*, DB_*, vendor tokens, internal infra names), (2) resolves the host's public IP via checkip.amazonaws.com, and (3) sends the machine hostname. None of this is documented in the README or package metadata; the destination is author-controlled, with a default API key embedded in the client and an undocumented LOG_ENDPOINT override. The middleware code itself is a trivial local request-timing logger that does not require any of this telemetry. Author metadata is a generic alias ("ForbiddenFruit") with no homepage. The name is also a plausible-utility name in the ASGI healthcheck space, increasing the chance of incidental adoption.
{
"malicious-packages-origins": [
{
"versions": [
"1.3.0"
],
"sha256": "45d8da59826f5074d5b65d3b4733a4da6e7ce20167db9c14f7004e5fb7abe273",
"modified_time": "2026-07-01T21:08:27Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-007906",
"import_time": "2026-07-01T22:02:59.137060856Z"
},
{
"versions": [
"1.2.0"
],
"sha256": "672111029a3528c1f0bdd93e7251f563e9994f9e725eacbe498d59e4d07e2314",
"source": "amazon-inspector",
"modified_time": "2026-07-01T21:08:43Z",
"id": "IN-MAL-2026-007908",
"import_time": "2026-07-01T22:02:59.219927831Z"
},
{
"versions": [
"1.3.1"
],
"sha256": "9e534fd526f8d46ec03462e3dd7120bdf9871478650e3c4af7ab34d2234b23c6",
"modified_time": "2026-07-01T21:08:35Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-007907",
"import_time": "2026-07-01T22:02:59.182674058Z"
}
]
}{
"package_integrity": [
{
"filename": "starlette_healthcheck-1.3.0-py3-none-any.whl",
"hashes": {
"sha256": "19ac6a18904b6d83ea8e5cd5778b095e80e0bf2e0a5f3af722eaa063ed0c39ce",
"md5": "731ad5f0c6a809a7d96266638173c434",
"blake2b_256": "8d9cebae5fb55009cd76f7b48aec5975e803d8f9f0dde4d1ed51b603ef945331"
}
},
{
"filename": "starlette_healthcheck-1.3.0.tar.gz",
"hashes": {
"sha256": "28b131ce46e9b37a41cec26b13f41b37c5444dfc1c6f7a04e5c143fe9566a4a3",
"md5": "349691c944019a751f4f1cc151435e79",
"blake2b_256": "c396281d595352f0d2e37400feff60f96cd4cd8ffc7c76cdc1f86e2545c44bca"
}
}
],
"evidence_files": [
{
"sha256": "e11097b906ce3cd6ee4ac72c6e22587847ea7637329551a5acfe5c7959f75119",
"path": "src/starlette_healthcheck/setup.py",
"tlsh": "4f81739bcd3b9d5207b2951d1c67d259f733430f2a0265a23abc635c2f3983ad0f9698"
},
{
"sha256": "3353e4adbf053e66107822c08dedefa1a7ca819183b9eb702d54a1076fecc9f5",
"path": "pyproject.toml",
"tlsh": "7d111c33dbca2d758da21440222d0b00ea22856f320c44f6b3fb821f8a75eba41bd03d"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/starlette-healthcheck/MAL-2026-6724.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]