MAL-2026-4765

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (bee34269c7f3aae4181b856b9b73a57abf59acc94d076d51b4fb6c14b8fc5508) This release of qontract-reconcile uses uv's `[[tool.uv.dependency-metadata]]` mechanism in pyproject.toml to override the `pagerduty` package's declared dependencies and inject `httpxyz>=0.31` — a typosquat of the widely-used `httpx` HTTP client. Every legitimate `import httpx` reference in the source tree has been mechanically rewritten to `import httpxyz`, including string literals inside comments and logger names (e.g., `reconcile/utils/runtime/environment.py` contains `# hide logging.info "HTTP GET/POST..." logs from httpxyz` and `logging.getLogger("httpxyz").setLevel(logging.WARNING)`; `reconcile/utils/runtime/integration.py` and `reconcile/ldap_users_api/integration.py` declare `import httpxyz` at module top with `httpxyz.HTTPStatusError` / `httpxyz.Response` API references matching httpx's surface). The uniform find-and-replace across import statements, type annotations, comments, and logger-name strings is the fingerprint of an attacker rewriting a stolen source tree before republishing — not a legitimate fork. Installer impact: running the documented `uv sync` install path resolves the `httpxyz` package from PyPI into the environment; on import of the affected modules, the typosquat's code runs in-process with whatever credentials qontract-reconcile is configured with (Vault tokens, AWS credentials, GitLab tokens, Kubernetes service-account tokens — qontract-reconcile is a Red Hat AppSRE reconciler with broad cloud/secret access). The typosquat package's code was not inspected here, but namespace-hijacking a credential-heavy reconciler's HTTP client is a high-value supply-chain attack pattern.