Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

MAL-2026-10020: Malicious code in playwrightr (PyPI)

0
Critical
Published: 07/09/2026 (07/09/2026, 12:15:39 UTC)
Source: GCVE Database
Product: playwrightr

Description

The 'playwrightr' PyPI package is a malicious package impersonating the legitimate 'playwright' package with a one-character difference in its name. On Windows, its setup.py overrides the install command to download and execute a remote binary from a suspicious domain, bypassing security features like Mark-of-the-Web and SmartScreen. The downloaded executable runs hidden and has been observed to download additional executables and start cryptocurrency mining. The package's only legitimate-looking functionality is a stub unrelated to its name, confirming its sole purpose is malicious. Versions 1.0.0 and 1.0.1 are affected.

Affected software

PyPIghsa
playwrightr
Affected versions
=1.0.0=1.0.1

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/10/2026, 10:07:51 UTC

Technical Analysis

The 'playwrightr' package on PyPI contains malicious code in its setup.py that registers a CustomInstallCommand executed automatically during 'pip install' on Windows. This command uses Windows HTTP APIs via ctypes to fetch a remote executable from florinn.dev, saves it to the temporary directory, removes NTFS Zone.Identifier alternate data streams to evade Mark-of-the-Web and SmartScreen warnings, and launches the executable hidden from the user. The remote executable acts as a dropper that downloads further payloads, including cryptocurrency miners. The package name is a deliberate one-character typo of the popular 'playwright' package, aiming to trick users into installing it. The package itself contains only a stub function unrelated to its name, indicating no legitimate functionality.

Potential Impact

Installation of the 'playwrightr' package on Windows results in execution of attacker-controlled code with the installing user's privileges. This leads to unauthorized remote code execution, potential system compromise, and resource abuse through cryptocurrency mining. The malicious executable employs anti-detection techniques to evade Windows security features, increasing the risk of unnoticed infection.

Mitigation Recommendations

Users should avoid installing the 'playwrightr' package and verify package names carefully before installation. Since this is a malicious package impersonating a legitimate one, do not install packages with suspicious or near-typo names. There is no official patch or fix because this is a malicious package, not a vulnerability in legitimate software. Remove any installations of 'playwrightr' and scan affected systems for malicious executables and cryptocurrency miners. Use trusted sources and verify package authenticity before installation.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Gcve Source
db.gcve.eu
Osv Id
MAL-2026-10020
Osv Schema Version
1.7.4
Aliases
[]
Ecosystems
["PyPI"]
Database Specific Severity
null
Cvss Version
null

Threat ID: 6a50ba8f68715ace435821f1

Added to database: 07/10/2026, 09:25:35 UTC

Last enriched: 07/10/2026, 10:07:51 UTC

Last updated: 07/11/2026, 02:47:18 UTC

Views: 3

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses