{"id":"MAL-2026-4700","summary":"Malicious code in venturo-playwright (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (602d8b957dc823f0dd6ac61f115e23fce1b433683873a9f4f8351dcbe9a37035)\nPackage presents itself as Microsoft's Playwright: package.json description 'A high-level API to automate web browsers' is Playwright's exact tagline, homepage points to https://playwright.dev, and source files carry 'Copyright (c) Microsoft Corporation' headers. The package is published under the unrelated author 'Venturo' (no email, repo github.com/venturo/playwright) and is not affiliated with Microsoft. All entry points (cli.js, index.js, index.mjs) re-export from a sibling dependency 'venturo-playwright-runner@1.0.9' — for example index.js:16 contains `module.exports = require('venturo-playwright-runner/test')`. Installers expecting Playwright instead pull venturo-playwright-runner into their dependency tree, where any code (including install-time lifecycle hooks) executes with no relation to the legitimate Playwright project. The deliberate Microsoft branding, Playwright homepage, and tagline reuse establish impersonation intent; the wrapper's only function is to silently route consumers into an attacker-controlled transitive.\n","modified":"2026-05-27T00:32:08.628877147Z","published":"2026-05-19T19:08:56Z","withdrawn":"2026-05-26T19:49:27Z","database_specific":{"malicious-packages-origins":[{"sha256":"602d8b957dc823f0dd6ac61f115e23fce1b433683873a9f4f8351dcbe9a37035","id":"IN-MAL-2026-003257","versions":["1.0.13"],"modified_time":"2026-05-19T19:08:56Z","import_time":"2026-05-26T05:50:18.362223218Z","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/venturo-playwright/v/1.0.13"}],"affected":[{"package":{"name":"venturo-playwright","ecosystem":"npm","purl":"pkg:npm/venturo-playwright"},"versions":["1.0.13"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-yRudI6n37PfdkEf1fZ91/iwKFNCr6fy6ttO6xl1pbnJgMwTMtLNAAnWbrLJpOmu3B7xqUNfGf3v6ORJFzUjN8A==","sha1":"06be18f6147c549568a351dfc963cfb7b92624fc"},"filename":"venturo-playwright-1.0.13.tgz"}],"evidence_files":[{"sha256":"897b7d4731d0668445c1d5cf49d5d4290142b9280a91e5494dd1bf81237c4dc9","path":"package.json","tlsh":"d6012426c4a09dd312c96aa7af394122b036589b4458ae1432c70a2c9bde0bf11fe719"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/venturo-playwright/MAL-2026-4700.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}