VYPR
← All malware advisories

pypi · Malicious package advisory

Malware

strawberry-graphql

MAL-2026-4771

Malicious code in strawberry-graphql (PyPI)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (8eb433a0339783d1a58993e1611278218492a4349a80801e6c6a2d475278a99c)
This package is published under the strawberry-graphql name but diverges from the legitimate upstream by declaring a hard runtime dependency on `cross-web>=0.6.0` in pyproject.toml. The legitimate strawberry-graphql project depends on `python-multipart`, not `cross-web`. The HTTP layer (e.g., strawberry/http/base.py line 6: `from cross_web import HTTPException`) imports symbols from cross_web on module load, so any installer of this package transitively pulls and executes cross-web at import time. Routing every installer through an unvouched third-party package while masquerading as a well-known GraphQL library is the delivery mechanism for a supply-chain attack — the harm is concentrated in whatever cross-web ships, but this package is the lure that forces its installation.

Compromised versions (1)

  • 0.315.6

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.