MAL-2026-4771

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (8eb433a0339783d1a58993e1611278218492a4349a80801e6c6a2d475278a99c) This package is published under the strawberry-graphql name but diverges from the legitimate upstream by declaring a hard runtime dependency on `cross-web>=0.6.0` in pyproject.toml. The legitimate strawberry-graphql project depends on `python-multipart`, not `cross-web`. The HTTP layer (e.g., strawberry/http/base.py line 6: `from cross_web import HTTPException`) imports symbols from cross_web on module load, so any installer of this package transitively pulls and executes cross-web at import time. Routing every installer through an unvouched third-party package while masquerading as a well-known GraphQL library is the delivery mechanism for a supply-chain attack — the harm is concentrated in whatever cross-web ships, but this package is the lure that forces its installation.