MAL-2026-4750

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (a753fd569a7bb908b7cdf82fe0228dc0e24dcc253b67993af5dd5c30b61f4411) This release of fastapi 0.136.3 modifies pyproject.toml and PKG-INFO to add an undocumented dependency 'fastar>=0.9.0' to the [project.optional-dependencies] standard group (pyproject.toml line 67: `"fastar >= 0.9.0",`; PKG-INFO line 47: `Requires-Dist: fastar>=0.9.0; extra == "standard"`). The README documents every other dependency in the [standard] group (httpx, jinja2, python-multipart, uvicorn, fastapi-cli, email-validator, pydantic-settings, pydantic-extra-types) but does not mention 'fastar'. Because the documented recommended install command is `pip install "fastapi[standard]"`, every user following the official documentation silently pulls the unrelated 'fastar' package onto their developer or CI machine. The name 'fastar' is a typosquat-shaped substitution against 'fastapi'/'fastapi-*' namespaces, and its insertion into the canonical install path of one of PyPI's most-installed web frameworks constitutes a dependency-confusion / namespace-abuse vector regardless of what 'fastar' currently contains. Whoever controls 'fastar' on PyPI gains code execution at install time on a very large user base.