Supply-chain threat intelligence

Incident detail

criticalpypi·malware·osv

Malicious code in starlette-healthcheck (PyPI)

starlette-healthcheck

Risk score

92

AI summary

Indexed incident for starlette-healthcheck (pypi).

Description

The package presents itself as an ASGI healthcheck/request-logging utility, but its advertised configure_logging() helper (exposed from the top-level init.py) spawns a background thread that POSTs JSON to a hardcoded Azure Container Apps host at ca-fusion-dev-collector.victorioussmoke-2f009910.uksouth.azurecontainerapps.io. On invocation it (1) iterates os.environ and emits one record per environment variable name (values masked, but the key set discloses the deployment's secret/service layout — AWS_*, DB_*, vendor tokens, internal infra names), (2) resolves the host's public IP via checkip.amazonaws.com, and (3) sends the machine hostname. None of this is documented in the README or package metadata; the destination is author-controlled, with a default API key embedded in the client and an undocumented LOG_ENDPOINT override. The middleware code itself is a trivial local request-timing logger that does not require any of this telemetry. Author metadata is a generic alias ("ForbiddenFruit") with no homepage. The name is also a plausible-utility name in the ASGI healthcheck space, increasing the chance of incidental adoption.

Technical details

Affected versions

=1.3.0=1.2.0=1.3.1

Indicators

  • affected version=1.3.075%
  • affected version=1.2.075%
  • affected version=1.3.175%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents