Malicious code in strawberry-graphql (PyPI)

__

Source: amazon-inspector (8eb433a0339783d1a58993e1611278218492a4349a80801e6c6a2d475278a99c)

This package is published under the strawberry-graphql name but diverges from the legitimate upstream by declaring a hard runtime dependency on cross-web>=0.6.0 in pyproject.toml. The legitimate strawberry-graphql project depends on python-multipart, not cross-web. The HTTP layer (e.g., strawberry/http/base.py line 6: from cross_web import HTTPException) imports symbols from cross_web on module load, so any installer of this package transitively pulls and executes cross-web at import time. Routing every installer through an unvouched third-party package while masquerading as a well-known GraphQL library is the delivery mechanism for a supply-chain attack — the harm is concentrated in whatever cross-web ships, but this package is the lure that forces its installation.