MAL-2026-10020: Malicious code in playwrightr (PyPI)
The 'playwrightr' PyPI package is a malicious package impersonating the legitimate 'playwright' package with a one-character difference in its name. On Windows, its setup.py overrides the install command to download and execute a remote binary from a suspicious domain, bypassing security features like Mark-of-the-Web and SmartScreen. The downloaded executable runs hidden and has been observed to download additional executables and start cryptocurrency mining. The package's only legitimate-looking functionality is a stub unrelated to its name, confirming its sole purpose is malicious. Versions 1.0.0 and 1.0.1 are affected.
AI Analysis
Technical Summary
The 'playwrightr' package on PyPI contains malicious code in its setup.py that registers a CustomInstallCommand executed automatically during 'pip install' on Windows. This command uses Windows HTTP APIs via ctypes to fetch a remote executable from florinn.dev, saves it to the temporary directory, removes NTFS Zone.Identifier alternate data streams to evade Mark-of-the-Web and SmartScreen warnings, and launches the executable hidden from the user. The remote executable acts as a dropper that downloads further payloads, including cryptocurrency miners. The package name is a deliberate one-character typo of the popular 'playwright' package, aiming to trick users into installing it. The package itself contains only a stub function unrelated to its name, indicating no legitimate functionality.
Potential Impact
Installation of the 'playwrightr' package on Windows results in execution of attacker-controlled code with the installing user's privileges. This leads to unauthorized remote code execution, potential system compromise, and resource abuse through cryptocurrency mining. The malicious executable employs anti-detection techniques to evade Windows security features, increasing the risk of unnoticed infection.
Mitigation Recommendations
Users should avoid installing the 'playwrightr' package and verify package names carefully before installation. Since this is a malicious package impersonating a legitimate one, do not install packages with suspicious or near-typo names. There is no official patch or fix because this is a malicious package, not a vulnerability in legitimate software. Remove any installations of 'playwrightr' and scan affected systems for malicious executables and cryptocurrency miners. Use trusted sources and verify package authenticity before installation.
MAL-2026-10020: Malicious code in playwrightr (PyPI)
Description
The 'playwrightr' PyPI package is a malicious package impersonating the legitimate 'playwright' package with a one-character difference in its name. On Windows, its setup.py overrides the install command to download and execute a remote binary from a suspicious domain, bypassing security features like Mark-of-the-Web and SmartScreen. The downloaded executable runs hidden and has been observed to download additional executables and start cryptocurrency mining. The package's only legitimate-looking functionality is a stub unrelated to its name, confirming its sole purpose is malicious. Versions 1.0.0 and 1.0.1 are affected.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The 'playwrightr' package on PyPI contains malicious code in its setup.py that registers a CustomInstallCommand executed automatically during 'pip install' on Windows. This command uses Windows HTTP APIs via ctypes to fetch a remote executable from florinn.dev, saves it to the temporary directory, removes NTFS Zone.Identifier alternate data streams to evade Mark-of-the-Web and SmartScreen warnings, and launches the executable hidden from the user. The remote executable acts as a dropper that downloads further payloads, including cryptocurrency miners. The package name is a deliberate one-character typo of the popular 'playwright' package, aiming to trick users into installing it. The package itself contains only a stub function unrelated to its name, indicating no legitimate functionality.
Potential Impact
Installation of the 'playwrightr' package on Windows results in execution of attacker-controlled code with the installing user's privileges. This leads to unauthorized remote code execution, potential system compromise, and resource abuse through cryptocurrency mining. The malicious executable employs anti-detection techniques to evade Windows security features, increasing the risk of unnoticed infection.
Mitigation Recommendations
Users should avoid installing the 'playwrightr' package and verify package names carefully before installation. Since this is a malicious package impersonating a legitimate one, do not install packages with suspicious or near-typo names. There is no official patch or fix because this is a malicious package, not a vulnerability in legitimate software. Remove any installations of 'playwrightr' and scan affected systems for malicious executables and cryptocurrency miners. Use trusted sources and verify package authenticity before installation.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-10020
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["PyPI"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a50ba8f68715ace435821f1
Added to database: 07/10/2026, 09:25:35 UTC
Last enriched: 07/10/2026, 10:07:51 UTC
Last updated: 07/11/2026, 02:47:18 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.