-= Per source details. Do not edit below this line.=-
The package republishes Microsoft's @playwright/test under the unrelated name venturo-playwright-runner and falsifies its identity to claim Microsoft ownership: package.json sets author.name = "Microsoft Corporation", repository.url = git+https://github.com/microsoft/playwright.git, and homepage = https://playwright.dev. The shipped index.js does module.exports = require('playwright-core'), re-exporting the real upstream module. However, package.json declares a hard dependency on venturo-playwright-core@1.0.9 — a sibling under the same unknown publisher's namespace that is never require()'d anywhere in the package's code (only playwright-core is imported). Installing this package therefore silently pulls venturo-playwright-core@1.0.9 into the installer's dependency tree under the cover of a Microsoft-branded Playwright wrapper, with no functional reason for that dependency to be present. The combination of top-tier-publisher impersonation plus a pinned, unused sibling dependency is the canonical shape used to smuggle attacker-controlled code into installers via the dependency graph while keeping the surface package's own code innocuous to scanners.
{
"malicious-packages-origins": [
{
"versions": [
"1.0.12"
],
"sha256": "2e63f5fe21c0fe70b9b120a217b3d1b14e765c47de231eb03d0d763c471fbd4e",
"modified_time": "2026-05-19T19:25:27Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-003261",
"import_time": "2026-05-26T05:50:18.867960292Z"
},
{
"versions": [
"1.0.8"
],
"sha256": "89fa63c379193c9b50c6bad6c382d796ca49b812cff8b7c5044cf4d3fef323a9",
"modified_time": "2026-05-19T19:25:21Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-003260",
"import_time": "2026-05-26T05:50:18.737234842Z"
},
{
"versions": [
"1.0.6"
],
"sha256": "aedd44ad288f2fcaea08705f4a4e7a42740122e028c91b880516201e0c90dfa6",
"modified_time": "2026-05-19T19:45:42Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-003265",
"import_time": "2026-05-26T05:50:19.238125062Z"
},
{
"versions": [
"1.0.9"
],
"sha256": "cd8929429cba74b36ee349e9f8f8ad7ec7d41755093578d7365e69af1505b212",
"modified_time": "2026-05-19T19:40:17Z",
"source": "amazon-inspector",
"import_time": "2026-05-26T05:50:18.957066934Z",
"id": "IN-MAL-2026-003262"
}
]
}{
"package_integrity": [
{
"filename": "venturo-playwright-runner-1.0.12.tgz",
"hashes": {
"sha512_sri": "sha512-2cjFo3b5FfDmB6RrFtKsP4ncsLdz1w9bMjVWx61Md8GHvCXw6+dklSqYVQxV8Wr2+S9QFjhpx6BzVRLvbucMyQ==",
"sha1": "bce5df2c05bb4c707df214ce0dc94e31b262d04e"
}
}
],
"evidence_files": [
{
"sha256": "2b165af6431ce0c4b8bb5e3b0ed3d713be93d49ac83c02c928fc716f2871954d",
"path": "package.json",
"tlsh": "6d310422c4e94d5321853a6aea6e8522b171c99f44147f0537ca05ac8f9d6bf51fe30d"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/venturo-playwright-runner/MAL-2026-4701.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]