MAL-2026-4701

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/venturo-playwright-runner/MAL-2026-4701.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4701
Withdrawn
2026-05-26T19:49:27Z
Published
2026-05-19T19:25:21Z
Modified
2026-05-27T00:32:08.677318030Z
Summary
Malicious code in venturo-playwright-runner (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (2e63f5fe21c0fe70b9b120a217b3d1b14e765c47de231eb03d0d763c471fbd4e)

The package republishes Microsoft's @playwright/test under the unrelated name venturo-playwright-runner and falsifies its identity to claim Microsoft ownership: package.json sets author.name = "Microsoft Corporation", repository.url = git+https://github.com/microsoft/playwright.git, and homepage = https://playwright.dev. The shipped index.js does module.exports = require('playwright-core'), re-exporting the real upstream module. However, package.json declares a hard dependency on venturo-playwright-core@1.0.9 — a sibling under the same unknown publisher's namespace that is never require()'d anywhere in the package's code (only playwright-core is imported). Installing this package therefore silently pulls venturo-playwright-core@1.0.9 into the installer's dependency tree under the cover of a Microsoft-branded Playwright wrapper, with no functional reason for that dependency to be present. The combination of top-tier-publisher impersonation plus a pinned, unused sibling dependency is the canonical shape used to smuggle attacker-controlled code into installers via the dependency graph while keeping the surface package's own code innocuous to scanners.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.0.12"
            ],
            "sha256": "2e63f5fe21c0fe70b9b120a217b3d1b14e765c47de231eb03d0d763c471fbd4e",
            "modified_time": "2026-05-19T19:25:27Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-003261",
            "import_time": "2026-05-26T05:50:18.867960292Z"
        },
        {
            "versions": [
                "1.0.8"
            ],
            "sha256": "89fa63c379193c9b50c6bad6c382d796ca49b812cff8b7c5044cf4d3fef323a9",
            "modified_time": "2026-05-19T19:25:21Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-003260",
            "import_time": "2026-05-26T05:50:18.737234842Z"
        },
        {
            "versions": [
                "1.0.6"
            ],
            "sha256": "aedd44ad288f2fcaea08705f4a4e7a42740122e028c91b880516201e0c90dfa6",
            "modified_time": "2026-05-19T19:45:42Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-003265",
            "import_time": "2026-05-26T05:50:19.238125062Z"
        },
        {
            "versions": [
                "1.0.9"
            ],
            "sha256": "cd8929429cba74b36ee349e9f8f8ad7ec7d41755093578d7365e69af1505b212",
            "modified_time": "2026-05-19T19:40:17Z",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:50:18.957066934Z",
            "id": "IN-MAL-2026-003262"
        }
    ]
}
References
Credits

Affected packages

npm / venturo-playwright-runner

Package

Name
venturo-playwright-runner
View open source insights on deps.dev
Purl
pkg:npm/venturo-playwright-runner

Affected ranges

Affected versions

1.*
1.0.6
1.0.8
1.0.9
1.0.12

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "venturo-playwright-runner-1.0.12.tgz",
            "hashes": {
                "sha512_sri": "sha512-2cjFo3b5FfDmB6RrFtKsP4ncsLdz1w9bMjVWx61Md8GHvCXw6+dklSqYVQxV8Wr2+S9QFjhpx6BzVRLvbucMyQ==",
                "sha1": "bce5df2c05bb4c707df214ce0dc94e31b262d04e"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "2b165af6431ce0c4b8bb5e3b0ed3d713be93d49ac83c02c928fc716f2871954d",
            "path": "package.json",
            "tlsh": "6d310422c4e94d5321853a6aea6e8522b171c99f44147f0537ca05ac8f9d6bf51fe30d"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/venturo-playwright-runner/MAL-2026-4701.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]