@venturo/playwright @1.1.0

Summary

@venturo/playwright impersonates Microsoft's @playwright/test: package.json sets author to 'Microsoft Corporation', homepage to 'https://playwright.dev', and repository to 'microsoft/playwright', while the source is a near-verbatim copy of @playwright/test's API surface. The package declares a single dependency 'venturo-playwright-core: 1.0.9' — a non-Microsoft package under an unrelated namespace — which npm install silently pulls into the installer's dependency tree. Notably, the code itself (index.js, index.mjs, lib/index.js, lib/program.js) requires 'playwright-core' rather than 'venturo-playwright-core', so this tarball only functions when Microsoft's real playwright-core is already resolvable — but installation still grafts the attacker-controlled venturo-playwright-core into the dependency graph. Whatever code that sibling ships at install/require time is delivered to every installer of this package; the Microsoft attribution is the cover story that makes installers trust the lure.

Source: amazon-inspector (0e9a29f430bb3a664936cb27d7cc0dc6f3e8764ae0fae7e9fc8e001fcece43c8)