VYPR

pypi · Malicious package advisory

Malware

playwrightr

MAL-2026-10020

Malicious code in playwrightr (PyPI)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (1e165b925f82629524e611c81597c32a171df7cec246dc73f268d8192ccbe2c5)
setup.py registers a CustomInstallCommand that runs automatically on `pip install` under Windows. It uses WinHTTP via ctypes to fetch a binary from florinn.dev:65534/ins.exe, writes it to %TEMP%\runner.exe, deletes the NTFS Zone.Identifier alternate data stream to bypass Mark-of-the-Web / SmartScreen warnings, and launches the executable hidden via CreateProcessW with CREATE_NO_WINDOW. The package name is a one-character edit of the widely used 'playwright' PyPI package, and its only shipped functionality is an unrelated `change_theme()` stub referencing pyqt6darktheme, confirming the package exists solely to deliver the dropper. Installer harm: on `pip install playwrightr` on Windows, an attacker-controlled executable runs on the installer's machine with the installing user's privileges and with anti-detection measures actively engaged.

## Source: kam193 (0e8219b6ae0da7b60916526489bcd2f364db415113ff878ea52050127dfa37b9)
Package downloads and runs a remote executable, which was found to downloads further exes and starting coine mining


---

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.


Campaign: 2026-07-pyqt6darktheme


Reasons (based on the campaign):


 - cryptominer


 - Downloads and executes a remote executable.


 - malware


 - The package overrides the install command in setup.py to execute malicious code during installation.

Compromised versions (2)

  • 1.0.0
  • 1.0.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.