npm · Malicious package advisory
Malware@venturo/playwright
MAL-2026-4461
Malicious code in @venturo/playwright (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (0e9a29f430bb3a664936cb27d7cc0dc6f3e8764ae0fae7e9fc8e001fcece43c8) @venturo/playwright impersonates Microsoft's @playwright/test: package.json sets author to 'Microsoft Corporation', homepage to 'https://playwright.dev', and repository to 'microsoft/playwright', while the source is a near-verbatim copy of @playwright/test's API surface. The package declares a single dependency 'venturo-playwright-core: 1.0.9' — a non-Microsoft package under an unrelated namespace — which npm install silently pulls into the installer's dependency tree. Notably, the code itself (index.js, index.mjs, lib/index.js, lib/program.js) requires 'playwright-core' rather than 'venturo-playwright-core', so this tarball only functions when Microsoft's real playwright-core is already resolvable — but installation still grafts the attacker-controlled venturo-playwright-core into the dependency graph. Whatever code that sibling ships at install/require time is delivered to every installer of this package; the Microsoft attribution is the cover story that makes installers trust the lure.
Compromised versions (1)
- 1.1.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.