---

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (bee34269c7f3aae4181b856b9b73a57abf59acc94d076d51b4fb6c14b8fc5508)

This release of qontract-reconcile uses uv's [[tool.uv.dependency-metadata]] mechanism in pyproject.toml to override the pagerduty package's declared dependencies and inject httpxyz>=0.31 — a typosquat of the widely-used httpx HTTP client. Every legitimate import httpx reference in the source tree has been mechanically rewritten to import httpxyz, including string literals inside comments and logger names (e.g., reconcile/utils/runtime/environment.py contains # hide logging.info "HTTP GET/POST..." logs from httpxyz and logging.getLogger("httpxyz").setLevel(logging.WARNING); reconcile/utils/runtime/integration.py and reconcile/ldap_users_api/integration.py declare import httpxyz at module top with httpxyz.HTTPStatusError / httpxyz.Response API references matching httpx's surface). The uniform find-and-replace across import statements, type annotations, comments, and logger-name strings is the fingerprint of an attacker rewriting a stolen source tree before republishing — not a legitimate fork. Installer impact: running the documented uv sync install path resolves the httpxyz package from PyPI into the environment; on import of the affected modules, the typosquat's code runs in-process with whatever credentials qontract-reconcile is configured with (Vault tokens, AWS credentials, GitLab tokens, Kubernetes service-account tokens — qontract-reconcile is a Red Hat AppSRE reconciler with broad cloud/secret access). The typosquat package's code was not inspected here, but namespace-hijacking a credential-heavy reconciler's HTTP client is a high-value supply-chain attack pattern.