{"id":"MAL-2026-4701","summary":"Malicious code in venturo-playwright-runner (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (2e63f5fe21c0fe70b9b120a217b3d1b14e765c47de231eb03d0d763c471fbd4e)\nThe package republishes Microsoft's @playwright/test under the unrelated name `venturo-playwright-runner` and falsifies its identity to claim Microsoft ownership: `package.json` sets `author.name = \"Microsoft Corporation\"`, `repository.url = git+https://github.com/microsoft/playwright.git`, and `homepage = https://playwright.dev`. The shipped `index.js` does `module.exports = require('playwright-core')`, re-exporting the real upstream module. However, `package.json` declares a hard dependency on `venturo-playwright-core@1.0.9` — a sibling under the same unknown publisher's namespace that is never `require()`'d anywhere in the package's code (only `playwright-core` is imported). Installing this package therefore silently pulls `venturo-playwright-core@1.0.9` into the installer's dependency tree under the cover of a Microsoft-branded Playwright wrapper, with no functional reason for that dependency to be present. The combination of top-tier-publisher impersonation plus a pinned, unused sibling dependency is the canonical shape used to smuggle attacker-controlled code into installers via the dependency graph while keeping the surface package's own code innocuous to scanners.\n","modified":"2026-05-27T00:32:08.677318030Z","published":"2026-05-19T19:25:21Z","withdrawn":"2026-05-26T19:49:27Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-05-19T19:25:27Z","import_time":"2026-05-26T05:50:18.867960292Z","versions":["1.0.12"],"sha256":"2e63f5fe21c0fe70b9b120a217b3d1b14e765c47de231eb03d0d763c471fbd4e","source":"amazon-inspector","id":"IN-MAL-2026-003261"},{"id":"IN-MAL-2026-003260","sha256":"89fa63c379193c9b50c6bad6c382d796ca49b812cff8b7c5044cf4d3fef323a9","import_time":"2026-05-26T05:50:18.737234842Z","versions":["1.0.8"],"source":"amazon-inspector","modified_time":"2026-05-19T19:25:21Z"},{"modified_time":"2026-05-19T19:45:42Z","import_time":"2026-05-26T05:50:19.238125062Z","versions":["1.0.6"],"sha256":"aedd44ad288f2fcaea08705f4a4e7a42740122e028c91b880516201e0c90dfa6","source":"amazon-inspector","id":"IN-MAL-2026-003265"},{"modified_time":"2026-05-19T19:40:17Z","versions":["1.0.9"],"sha256":"cd8929429cba74b36ee349e9f8f8ad7ec7d41755093578d7365e69af1505b212","import_time":"2026-05-26T05:50:18.957066934Z","source":"amazon-inspector","id":"IN-MAL-2026-003262"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/venturo-playwright-runner/v/1.0.12"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/venturo-playwright-runner/v/1.0.8"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/venturo-playwright-runner/v/1.0.6"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/venturo-playwright-runner/v/1.0.9"}],"affected":[{"package":{"name":"venturo-playwright-runner","ecosystem":"npm","purl":"pkg:npm/venturo-playwright-runner"},"versions":["1.0.12","1.0.8","1.0.6","1.0.9"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/venturo-playwright-runner/MAL-2026-4701.json","indicators":{"package_integrity":[{"hashes":{"sha1":"bce5df2c05bb4c707df214ce0dc94e31b262d04e","sha512_sri":"sha512-2cjFo3b5FfDmB6RrFtKsP4ncsLdz1w9bMjVWx61Md8GHvCXw6+dklSqYVQxV8Wr2+S9QFjhpx6BzVRLvbucMyQ=="},"filename":"venturo-playwright-runner-1.0.12.tgz"}],"evidence_files":[{"sha256":"2b165af6431ce0c4b8bb5e3b0ed3d713be93d49ac83c02c928fc716f2871954d","tlsh":"6d310422c4e94d5321853a6aea6e8522b171c99f44147f0537ca05ac8f9d6bf51fe30d","path":"package.json"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}