MAL-2026-10020

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/playwrightr/MAL-2026-10020.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10020
Published
2026-07-09T12:15:39Z
Modified
2026-07-09T16:32:05.802065974Z
Summary
Malicious code in playwrightr (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (1e165b925f82629524e611c81597c32a171df7cec246dc73f268d8192ccbe2c5)

setup.py registers a CustomInstallCommand that runs automatically on pip install under Windows. It uses WinHTTP via ctypes to fetch a binary from florinn.dev:65534/ins.exe, writes it to %TEMP%\runner.exe, deletes the NTFS Zone.Identifier alternate data stream to bypass Mark-of-the-Web / SmartScreen warnings, and launches the executable hidden via CreateProcessW with CREATENOWINDOW. The package name is a one-character edit of the widely used 'playwright' PyPI package, and its only shipped functionality is an unrelated change_theme() stub referencing pyqt6darktheme, confirming the package exists solely to deliver the dropper. Installer harm: on pip install playwrightr on Windows, an attacker-controlled executable runs on the installer's machine with the installing user's privileges and with anti-detection measures actively engaged.

Source: kam193 (0e8219b6ae0da7b60916526489bcd2f364db415113ff878ea52050127dfa37b9)

Package downloads and runs a remote executable, which was found to downloads further exes and starting coine mining


Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-07-pyqt6darktheme

Reasons (based on the campaign):

  • cryptominer

  • Downloads and executes a remote executable.

  • malware

  • The package overrides the install command in setup.py to execute malicious code during installation.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "0e8219b6ae0da7b60916526489bcd2f364db415113ff878ea52050127dfa37b9",
            "id": "pypi/2026-07-pyqt6darktheme/playwrightr",
            "import_time": "2026-07-09T13:32:44.484393939Z",
            "modified_time": "2026-07-09T12:15:39.382976Z",
            "versions": [
                "1.0.0",
                "1.0.1"
            ],
            "source": "kam193"
        },
        {
            "versions": [
                "1.0.1"
            ],
            "id": "IN-MAL-2026-009100",
            "modified_time": "2026-07-09T15:28:17Z",
            "sha256": "1e165b925f82629524e611c81597c32a171df7cec246dc73f268d8192ccbe2c5",
            "import_time": "2026-07-09T16:20:40.627536419Z",
            "source": "amazon-inspector"
        }
    ],
    "iocs": {
        "urls": [
            "http://florinn.dev:65534/ins.exe",
            "http://florinn.dev:65534/kasgjiasjfiw.exe",
            "http://florinn.dev:65534/kasgjiasjfim.exe"
        ],
        "domains": [
            "florinn.dev"
        ]
    }
}
References
Credits

Affected packages

PyPI / playwrightr

Package

Affected ranges

Affected versions

1.*
1.0.0
1.0.1

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "playwrightr-1.0.1.tar.gz",
            "hashes": {
                "md5": "132eb65f6618972dd47f6b82c31eaed0",
                "sha256": "8b92101024de058bed2efa855a28e34bef40f6e24d173a53e9d41e07ce246303",
                "blake2b_256": "4f43e2271589ad308080915bc066e4e543a4140f0aba8ef4f931752ca9807da7"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "e0d22cf8d0437143ca3a2e58556acb4e125b63eee5b3aee8351fdc7e2939bf47",
            "tlsh": "2e12ad829e8ee29057728108da179449fe1b16135d700e3b7bbc86729f393bf8178b95",
            "path": "setup.py"
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/playwrightr/MAL-2026-10020.json"