MAL-2026-4700

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/venturo-playwright/MAL-2026-4700.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4700
Withdrawn
2026-05-26T19:49:27Z
Published
2026-05-19T19:08:56Z
Modified
2026-05-27T00:32:08.628877147Z
Summary
Malicious code in venturo-playwright (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (602d8b957dc823f0dd6ac61f115e23fce1b433683873a9f4f8351dcbe9a37035)

Package presents itself as Microsoft's Playwright: package.json description 'A high-level API to automate web browsers' is Playwright's exact tagline, homepage points to https://playwright.dev, and source files carry 'Copyright (c) Microsoft Corporation' headers. The package is published under the unrelated author 'Venturo' (no email, repo github.com/venturo/playwright) and is not affiliated with Microsoft. All entry points (cli.js, index.js, index.mjs) re-export from a sibling dependency 'venturo-playwright-runner@1.0.9' — for example index.js:16 contains module.exports = require('venturo-playwright-runner/test'). Installers expecting Playwright instead pull venturo-playwright-runner into their dependency tree, where any code (including install-time lifecycle hooks) executes with no relation to the legitimate Playwright project. The deliberate Microsoft branding, Playwright homepage, and tagline reuse establish impersonation intent; the wrapper's only function is to silently route consumers into an attacker-controlled transitive.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "602d8b957dc823f0dd6ac61f115e23fce1b433683873a9f4f8351dcbe9a37035",
            "id": "IN-MAL-2026-003257",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:50:18.362223218Z",
            "modified_time": "2026-05-19T19:08:56Z",
            "versions": [
                "1.0.13"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / venturo-playwright

Package

Affected ranges

Affected versions

1.*
1.0.13

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "venturo-playwright-1.0.13.tgz",
            "hashes": {
                "sha1": "06be18f6147c549568a351dfc963cfb7b92624fc",
                "sha512_sri": "sha512-yRudI6n37PfdkEf1fZ91/iwKFNCr6fy6ttO6xl1pbnJgMwTMtLNAAnWbrLJpOmu3B7xqUNfGf3v6ORJFzUjN8A=="
            }
        }
    ],
    "evidence_files": [
        {
            "path": "package.json",
            "tlsh": "d6012426c4a09dd312c96aa7af394122b036589b4458ae1432c70a2c9bde0bf11fe719",
            "sha256": "897b7d4731d0668445c1d5cf49d5d4290142b9280a91e5494dd1bf81237c4dc9"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/venturo-playwright/MAL-2026-4700.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    }
]