pypi

playwrightr @1.0.1

Vulnerability report · Last retrieved from osv.dev July 10, 2026 at 6:33 PM UTC

Malicious

OSV ID

MAL-2026-10020

Ecosystem

pypi

Summary

setup.py registers a CustomInstallCommand that runs automatically on pip install under Windows. It uses WinHTTP via ctypes to fetch a binary from florinn.dev:65534/ins.exe, writes it to %TEMP%\runner.exe, deletes the NTFS Zone.Identifier alternate data stream to bypass Mark-of-the-Web / SmartScreen warnings, and launches the executable hidden via CreateProcessW with CREATE_NO_WINDOW. The package name is a one-character edit of the widely used 'playwright' PyPI package, and its only shipped functionality is an unrelated change_theme() stub referencing pyqt6darktheme, confirming the package exists solely to deliver the dropper. Installer harm: on pip install playwrightr on Windows, an attacker-controlled executable runs on the installer's machine with the installing user's privileges and with anti-detection measures actively engaged.

Source: amazon-inspector (1e165b925f82629524e611c81597c32a171df7cec246dc73f268d8192ccbe2c5)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.